CVE-2014-2526

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive before 6.7 allow remote attackers to inject arbitrary web script or HTML via the (1) sForumName or (2) sDescription parameter to Forum/manage/ForumManager.lsp; (3) sHint, (4) sWord, or (5) nId parameter to Forum/manage/hangman.lsp; (6) user parameter to rtl/protected/admin/wizard/setuser.lsp; (7) name or (8) email parameter to feedback.lsp; (9) lname or (10) url parameter to private/manage/PageManager.lsp; (11) cmd parameter to fs; (12) newname, (13) description, (14) firstname, (15) lastname, or (16) id parameter to rtl/protected/mail/manage/list.lsp; or (17) PATH_INFO to fs/.

Múltiples vulnerabilidades de XSS en BarracudaDrive anterior a 6.7 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro (1) sForumName o (2) sDescription hacia Forum/manage/ForumManager.lsp; el parámetro (3) sHint, (4) sWord o (5) nId hacia Forum/manage/hangman.lsp; (6) el parámetro user hacia rtl/protected/admin/wizard/setuser.lsp; el parámetro (7) name o (8) email hacia feedback.lsp; el parámetro (9) lname o (10) url hacia private/manage/PageManager.lsp; (11) el parámetro cmd hacia fs; (12) newname, (13) description, (14) firstname, (15) lastname o (16) el parámetro id hacia rtl/protected/mail/manage/list.lsp o (17) PATH_INFO hacia fs/.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-03-17 CVE Reserved
2014-03-25 CVE Published
2023-11-05 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (7)

URL	Tag	Source
http://secpod.org/advisories/SecPod_BarracudaDrive_Mult_XSS_Vuln.txt	Broken Link
http://secpod.org/blog/?p=2158	Broken Link
http://secunia.com/advisories/57451	Not Applicable
http://www.securityfocus.com/bid/66269	Third Party Advisory

URL	Date	SRC
http://packetstormsecurity.com/files/125766	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://barracudadrive.com/readme.txt	2021-05-27
https://exchange.xforce.ibmcloud.com/vulnerabilities/91920	2021-05-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Barracudadrive Search vendor "Barracudadrive"		Barracudadrive Search vendor "Barracudadrive" for product "Barracudadrive"				< 6.7 Search vendor "Barracudadrive" for product "Barracudadrive" and version " < 6.7"		-		Affected