CVE-2008-3824 – Horde Application Framework 3.2.1 - Forward Slash Insufficient Filtering Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2008-3824

Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en (1) el módulo Text_Filter/Filter/xss.php de Horde versiones 3.1.x anteriores a 3.1.9 y versiones 3.2.x anteriores a 3.2.2 y en (2) el módulo externalinput.php de Popoon versión r22196 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección al reemplazar caracteres / (barra) por los espacios en blanco en un mensaje de correo electrónico en formato HTML. • https://www.exploit-db.com/exploits/32353 http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html http://marc.info/?l=horde-announce&m=122103888111491&w=2 http://marc.info/?l=horde-announce&m=122104360019867&w=2 http://ocert.org/patches/2008-012/Text_Filter.31.patch http://ocert.org/patches/2008-012/Text_Filter.patch http://osvdb.org/47996 http://secunia.com/advisories/31842 http://securityreason.com/securityalert/4245 http://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •