Horde < 3.1.4 NLS.php new_lang Parameter XSS
Medium Nessus Network Monitor Plugin ID 3950
SynopsisThe remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.
DescriptionThe remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.
The version of Horde installed on the remote host fails to sanitize input to the 'new_lang' parameter before using it in the 'framework/NLS/NLS.php' script to generate dynamic content. An unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.
SolutionUpgrade to version 3.1.4 or higher.