[原文]Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.0.00.003 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) date or search text field in the calendar module, (2) Field parameter, Filter parameter, QField parameter, Start parameter or Search field in the address module, (3) Subject field in the message module or (4) Subject field in the Ticket module.
Gentoo has released an advisory (GLSA 200409-06) and an updated eBuild to address this issue. Please see the referenced advisory for more information. Gentoo users can carry out the following commands to update their computer: emerge sync emerge -pv ">=www-apps/egroupware-1.0.00.004" emerge ">=www-apps/egroupware-1.0.00.004"
It is reported that eGroupWare is susceptible to multiple cross-site scripting and HTML injection vulnerabilities.
The cross-site scripting issues present themselves in the various parameters of the 'addressbook' and 'calendar' modules. It is also reported that data input through the 'Search' fields of the 'addressbook', 'calendar', and 'search between projects' functionality are not sufficiently sanitized.
An attacker can exploit these issues for theft of cookie-based authentication credentials and other attacks.
Additionally HTML injection vulnerabilities are reported for the eGroupWare 'Messenger' module and 'Ticket' module.
Attackers may potentially exploit these issues to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.
eGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "date" variable upon submission to the Calendar Module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Upgrade to version 1.0.0.004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.