Source: php-horde Version: 5.2.21+debian1-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 5.2.20+debian0-1+deb10u1 Control: found -1 5.2.13+debian0-1+deb9u1
Hi, The following vulnerability was published for php-horde. CVE-2020-8035[0]: | The image view functionality in Horde Groupware Webmail Edition before | 5.2.22 is affected by a stored Cross-Site Scripting (XSS) | vulnerability via an SVG image upload containing a JavaScript payload. | An attacker can obtain access to a victim's webmail account by making | them visit a malicious URL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8035 [1] https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf [2] https://lists.horde.org/archives/announce/2020/001290.html Regards, Salvatore