First published: Fri Feb 08 2008(Updated: )
It was reported that turba does not properly check permissions on address books, allowing users to modify addresses in other users' address books. This problem affects both shared and non-shared address books. Knowing (or guessing) the object_id seems to be sufficient to allow modification of other users' addresses. More information can be found in Debian bug report, which also contains some proposed patches: <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058</a> Upstream bug report: <a href="http://bugs.horde.org/ticket/?id=6208">http://bugs.horde.org/ticket/?id=6208</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/3.1.6 | <1. | 1. |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Debian Debian Linux | =4.0 | |
Horde Groupware | =1.0.3 | |
Horde Groupware Webmail Edition | =1.0.4 | |
Horde Turba Contact Manager | =2.1.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.