BarracudaDrive Two Cross-Site Scripting Vulnerabilities
Description
SecPod Research Team has reported two vulnerabilities in BarracudaDrive, which can be exploited by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "role" parameter to protected/admin/roles.lsp is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site.
2) Input passed via the "path" parameter to rtl/protected/admin/wizard/setuser.lsp is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site.
The vulnerabilities are reported in version 6.7.1. Prior versions may also be affected.
