(Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-01-31 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |BlueSpice 4.1.2 |} == Problem == Users are able to inject arbi...") |
No edit summary Tag: 2017 source edit |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 11: | Line 11: | ||
|- | |- | ||
|Affected | |Affected | ||
|BlueSpice 4.x | |BlueSpice 3.x, BlueSpice 4.x | ||
|- | |- | ||
|Fixed in | |Fixed in | ||
|BlueSpice 4.1. | |BlueSpice 3.2.9, BlueSpice 4.1.1 | ||
|- | |||
|CVE | |||
|[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510] | |||
|} | |} | ||
| Line 21: | Line 24: | ||
== Solution == | == Solution == | ||
Upgrade to BlueSpice 4.1. | Upgrade to BlueSpice 4.1.1 | ||
== Acknowledgements == | == Acknowledgements == | ||
Special thanks to the security team of an undisclosed customer | Special thanks to the security team of an undisclosed customer | ||
Latest revision as of 21:57, 22 July 2022
| Date | 2022-01-31 |
| Severity | Medium |
| Affected | BlueSpice 3.x, BlueSpice 4.x |
| Fixed in | BlueSpice 3.2.9, BlueSpice 4.1.1 |
| CVE | CVE-2022-2510 |
1. Problem
Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.
2. Solution
Upgrade to BlueSpice 4.1.1
3. Acknowledgements
Special thanks to the security team of an undisclosed customer
Discussions