|Related CVEs||CVE-2016-5303 CVE-2021-26929|
Alex Birnberg discovered a cross-site scripting (XSS) vulnerability in the Horde Application Framework, more precisely its Text Filter API. An attacker could take control of a user’s mailbox by sending a crafted e-mail. This update also fixes a separate minor XSS vulnerability discovered by Liuzhu.
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
For Debian 8 jessie, these problems have been fixed in version 2.2.1-5+deb8u1.
We recommend that you upgrade your php-horde-text-filter packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/