Executive Summary
| Summary | |
|---|---|
| Title | New kronolith packages fix cross-site scripting |
| Informations | |||
|---|---|---|---|
| Name | DSA-970 | First vendor Publication | 2006-02-14 |
| Vendor | Debian | Last vendor Modification | 2006-02-14 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 3.5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Johannes Greil of SEC Consult discovered several cross-site scripting vulnerabilities in kronolith, the Horde calendar application. The old stable distribution (woody) does not contain kronolith packages. For the stable distribution (sarge) these problems have been fixed in version 1.1.4-2sarge1. For the unstable distribution (sid) these problems have been fixed in version 2.0.6-1 of kronolith2. We recommend that you upgrade your kronolith and kronolith2 packages. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-970 |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 970-1 (kronolith) File : nvt/deb_970_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 21611 | Horde Kronolith Calendar Edit Permission Function XSS Kronolith contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'title' variables upon submission to the edit permission script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
| 21610 | Horde Kronolith Calendar Search Function Multiple Method XSS Kronolith contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'category' and 'location' variables upon submission to the calendar search script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
| 21609 | Horde Kronolith Calendar Event Manipulation XSS Kronolith contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'delete events' and 'edit attendees' variables upon submission to the edit calendar script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
| 21608 | Horde Kronolith Calendar Multiple Field XSS Kronolith contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate calendar name variables upon submission to the view calendar script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-970.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:34:54 |
|
