CVE-2014-2526

Name of the Vulnerable Software and Affected Versions BarracudaDrive versions prior to 6.7

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different API endpoints, including "/Forum/manage/ForumManager.lsp" with sForumName or sDescription parameters, "/Forum/manage/hangman.lsp" with sHint, sWord, or nId parameters, "/rtl/protected/admin/wizard/setuser.lsp" with user parameter, "/feedback.lsp" with name or email parameters, "/private/manage/PageManager.lsp" with lname or url parameters, "/fs" with cmd parameter, and "/rtl/protected/mail/manage/list.lsp" with newname, description, firstname, lastname, or id parameters. Additionally, the "PATH INFO" to "/fs/" is also vulnerable.

Recommendations For BarracudaDrive versions prior to 6.7, update to version 6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/Forum/manage/ForumManager.lsp", "/Forum/manage/hangman.lsp", "/rtl/protected/admin/wizard/setuser.lsp", "/feedback.lsp", "/private/manage/PageManager.lsp", "/fs", and "/rtl/protected/mail/manage/list.lsp", until a patch is available. Avoid using the vulnerable parameters, such as sForumName, sDescription, sHint, sWord, nId, user, name, email, lname, url, cmd, newname, description, firstname, lastname, and id, in the affected API endpoints until the issue is resolved.