icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Horde < 3.1.4 NLS.php new_lang Parameter XSS

Medium

Synopsis

The remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.

Description

The remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.

The version of Horde installed on the remote host fails to sanitize input to the 'new_lang' parameter before using it in the 'framework/NLS/NLS.php' script to generate dynamic content. An unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to version 3.1.4 or higher.