Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Horde < 3.1.4 NLS.php new_lang Parameter XSS

Medium

Synopsis

The remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.

Description

The remote web server contains a PHP application that is vulnerable to a cross-site scripting attack.

The version of Horde installed on the remote host fails to sanitize input to the 'new_lang' parameter before using it in the 'framework/NLS/NLS.php' script to generate dynamic content. An unauthenticated remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to version 3.1.4 or higher.