Security releases for several Horde applications
On December 11 we released security fixes for several Horde applications and the Horde Application Framework itself. All fixes close XSS vulnerabilities, but none of these holes can be exploited remotely or by unauthenticated users. We still recommend upgrading as soon as possible.
Many thanks to Johannes Greil of SEC Consult for reporting these problems and working with us to test the fixes. The advisory can be found on their website.
Major changes compared to the Horde version 3.0.7 are:
- Fix escaping of data in the preferences templates.
- Fix escaping of data in the data import templates.
- Fix output escaping of Horde_Form_Type_cellphone in UI_VarRenderer_html.
- Close several XSS problems in the share edit window.
- When deleting an identity, don't show the deleted identity in the default identity select dropdown on the next page load.
- Fix weather.com portal block.
Major changes compared to the Kronolith version H3 (2.0.5) are:
- Close several XSS problems with calendar and event fields.
Major changes compared to the Mnemo version H3 (2.0.2) are:
- Close several XSS vulnerabilities with note and notepad data.
The major changes compared to the Nag H3 (2.0.3) version are:
- Close several XSS vulnerabilities with task and tasklist data.
Major changes compared to the Turba version H3 (2.0.4) are:
- Close several XSS vulnerabilities with address book and contact data.
