Transform · Transform Foundation Server · CVE-2014-2577
**Name of the Vulnerable Software and Affected Versions**
Transform Foundation Server versions prior to 4.3.1 Patch 8
Transform Foundation Server versions 5.x prior to 5.2 Patch 7
**Description**
The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `pn` parameter to "index.fsp/document.pdf", the `db` or `referer` parameter to "index.fsp/index.fsp", or the `PATH INFO` to the default URI.
**Recommendations**
For versions prior to 4.3.1 Patch 8, update to version 4.3.1 Patch 8 or later.
For versions 5.x prior to 5.2 Patch 7, update to version 5.2 Patch 7 or later.