CVE-2011-4950

Name of the Vulnerable Software and Affected Versions EGroupware Enterprise Line versions prior to 11.1.20110804-1 EGroupware Community Edition versions prior to 1.8.001.20110805

Description The issue allows remote attackers to inject arbitrary web script or HTML via the lang parameter in the /js/jscalendar/test.php endpoint. This is a cross-site scripting (XSS) issue.

Recommendations For EGroupware Enterprise Line versions prior to 11.1.20110804-1, update to version 11.1.20110804-1 or later. For EGroupware Community Edition versions prior to 1.8.001.20110805, update to version 1.8.001.20110805 or later. As a temporary workaround, consider restricting access to the /js/jscalendar/test.php endpoint to minimize the risk of exploitation. Avoid using the lang parameter in the affected endpoint until the issue is resolved.