PatchSiren cyber security CVE debrief

CVE-2014-9760 Gosa Project CVE debrief

CVE-2014-9760 describes a cross-site scripting (XSS) flaw in GOsa's login page handling. NVD identifies the issue in the displayLogin function in html/index.php, where remote attackers can inject arbitrary web script or HTML via the username field. The NVD record lists the issue as CVSS 3.1 6.1 (MEDIUM), with network attack vector and user interaction required.

Vendor: Gosa Project
Product: CVE-2014-9760
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

GOsa administrators, operators of internet-facing GOsa login pages, and teams responsible for patching or hardening self-service or admin web portals should pay attention. Any deployment that exposes the login interface to untrusted users is most relevant.

Technical summary

The vulnerability is a CWE-79 cross-site scripting issue in GOsa's login display path. According to the NVD description, the displayLogin function in html/index.php does not properly neutralize username input before rendering it, allowing attacker-controlled script or HTML to execute in a victim's browser when the login page is viewed. The NVD CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a remotely reachable issue that requires a user to interact with the crafted content.

Defensive priority

Medium. The issue is remotely reachable and can affect browser sessions, but it requires user interaction and does not indicate direct availability impact. Prioritize faster if the GOsa login page is exposed to the public internet or used by privileged administrators.

Recommended defensive actions

Apply the vendor patch referenced in the upstream GOsa core commit included in the advisory references.
Verify that the login page properly HTML-encodes or otherwise sanitizes the username field before rendering it.
Restrict exposure of the GOsa login interface to trusted networks or management paths where possible.
Review browser-side hardening controls such as Content Security Policy as a defense-in-depth measure, while still fixing the underlying output-encoding flaw.
Confirm your deployed GOsa version against the vendor advisory and NVD record before and after remediation.

Evidence notes

This debrief is based on the supplied NVD record and its listed references. NVD describes the flaw as XSS in displayLogin within html/index.php in GOsa, allowing remote attackers to inject arbitrary web script or HTML via the username. The record maps the weakness to CWE-79 and reports CVSS 3.1 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). References include the upstream GitHub commit e35b990464a2c2cf64d6833a217ed944876e7732, an oss-security mailing list post, and a SecurityFocus advisory entry.

Official resources

CVE-2014-9760 CVE record
CVE.org
CVE-2014-9760 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory

CVE published: 2017-02-13. NVD record modified: 2026-05-13. The supplied references show advisory and patch activity by 2016, but the CVE publication date above is the appropriate disclosure date for this record.