SB2020051826 - XSS in Horde Gollem
Published: May 18, 2020 Updated: September 28, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2020-8034)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES
- https://github.com/horde/gollem/commits/master
- https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html
- https://lists.horde.org/archives/announce/2020/001289.html
- https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html