Debian Security Advisory
DSA-2204-1 imp4 -- insufficient input sanitising
- Date Reported:
- 27 Mar 2011
- Affected Packages:
- imp4
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 598584.
In Mitre's CVE dictionary: CVE-2010-3695. - More information:
-
Moritz Naumann discovered that IMP 4, a webmail component for the Horde framework, is prone to cross-site scripting attacks by a lack of input sanitising of certain Fetchmail information.
For the oldstable distribution (lenny), this problem has been fixed in version 4.2-4lenny3.
For the stable distribution (squeeze), this problem has been fixed in version 4.3.7+debian0-2.1, which was already included in the squeeze release.
For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 4.3.7+debian0-2.1.
We recommend that you upgrade your imp4 packages.