A php-horde-text-filter security update has been released for Debian GNU/Linux 8 Extended LTS to address two cross-site scripting (XSS) vulnerabilities.

ELA-365-1 php-horde-text-filter security update

Package php-horde-text-filter
Version 2.2.1-5+deb8u1
Related CVEs CVE-2016-5303 CVE-2021-26929

Alex Birnberg discovered a cross-site scripting (XSS) vulnerability in the Horde Application Framework, more precisely its Text Filter API. An attacker could take control of a user’s mailbox by sending a crafted e-mail. This update also fixes a separate minor XSS vulnerability discovered by Liuzhu.

CVE-2021-26929

An XSS issue was discovered in Horde Groupware Webmail Edition (where the Horde_Text_Filter library is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.

CVE-2016-5303

Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.

For Debian 8 jessie, these problems have been fixed in version 2.2.1-5+deb8u1.

We recommend that you upgrade your php-horde-text-filter packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-365-1 php-horde-text-filter security update