Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Horde Passwd Module < 3.1.1 XSS

Medium

Synopsis

The remote web server contains a PHP application that is vulnerable to cross-site scripting attacks.

Description

The installation of Horde is using the Passwd module which provides support for changing passwords. The installed version of this module is earlier than 3.1.1. Such versions are reportedly affected by a cross-site scripting vulnerability that affects the 'backend' parameter of the 'main.php' script. An attacker can exploit this to execute arbitrary script code in the browser of an authenticated user.

Solution

Upgrade to Passwd H3 3.1.1 or later.