CVE-2010-3314

Name of the Vulnerable Software and Affected Versions EGroupware versions 1.4.001+.002 through 1.6.001+.002 EGroupware version 1.6.003 and earlier EPL versions 9.1 through 9.1.20100308 EPL versions 9.2 through 9.2.20100308

Description The issue allows remote attackers to inject arbitrary web script or HTML via the lang parameter in the login.php file. This can lead to cross-site scripting (XSS) attacks.

Recommendations For EGroupware versions 1.4.001+.002 through 1.6.001+.002, update to version 1.6.003 or later. For EGroupware version 1.6.003 and earlier, update to version 1.6.003 or later. For EPL versions 9.1 through 9.1.20100308, update to version 9.1.20100309 or later. For EPL versions 9.2 through 9.2.20100308, update to version 9.2.20100309 or later. As a temporary workaround, consider restricting access to the login.php file to minimize the risk of exploitation. Avoid using the lang parameter in the affected login.php file until the issue is resolved.