CVE-2012-4739

Name of the Vulnerable Software and Affected Versions Barracuda SSL VPN versions prior to 2.2.2.203

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters in different API endpoints, such as the policyLaunching, resourcePrefix, or actionPath parameter in "showUserResourceCategories.do", the list or path parameter to "fileSystem.do", or the return-To parameter to "launchAgent.do".

Recommendations For versions prior to 2.2.2.203, update to version 2.2.2.203 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "showUserResourceCategories.do", "fileSystem.do", and "launchAgent.do", until a patch is applied. Avoid using the vulnerable parameters policyLaunching, resourcePrefix, actionPath, list, path, and return-To in the respective API endpoints until the issue is resolved.