Closed
Description
(Published here as requested by Gonicus)
The /gosa/password.php endpoint fails to sanitize the uid POST parameter, leading to a Server-Side Reflected XSS vulnerability as this parameter is later assigned to a Smarty variable of the same name and then rendered in the context of an HTML attribute in password.tpl. As a result, arbitrary JavaScript can be executed in the GOSA origin.
This vulnerability is very similar to the one reported as CVE-2014-9760, but uses a different endpoint.
Suggested fix (untested): Use set_post() to escape the value of uid before assigning it to the Smarty variable here.