CVE-2014-3808

Name of the Vulnerable Software and Affected Versions BarracudaDrive versions prior to 6.7.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in various API endpoints, including the role parameter to "roles.lsp", the name parameter to "user.lsp", the path parameter to "wizard/setuser.lsp", the host parameter to "tunnelconstr.lsp", or the newpath parameter to "wfsconstr.lsp" in the "rtl/protected/admin/" directory.

Recommendations For BarracudaDrive versions prior to 6.7.2, update to version 6.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "roles.lsp", "user.lsp", "wizard/setuser.lsp", "tunnelconstr.lsp", and "wfsconstr.lsp", until a patch is applied. Avoid using the vulnerable parameters role, name, path, host, and newpath in the respective API endpoints until the issue is resolved.