Security:Security Advisories/BSSA-2023-02: Difference between revisions

No edit summary
Tag: 2017 source edit
No edit summary
Tag: 2017 source edit
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{{Featurepage|featured=false|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{| class="wikitable"
{| class="wikitable"
|+
|+
Line 26: Line 26:
== Problem ==
== Problem ==


 
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
== Solution ==
== Solution ==
* BlueSpice 4: Update to version 4.3.3
* BlueSpice 4: Update to version 4.3.3
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]
== Resources ==
None


== Acknowledgements ==
== Acknowledgements ==
Found during an internal security audit.
Special thanks to the security team of an undisclosed customer.

Latest revision as of 12:45, 5 July 2024

Date 2023-10-30
Severity Low
Affected
  • BlueSpiceAvatars
Fixed in
  • BlueSpiceAvatars 4.3.3
  • BlueSpiceAvatars 3.2.10.1
CVE CVE-2023-42431

Problem

When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.

Solution

  • BlueSpice 4: Update to version 4.3.3
  • BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1

Acknowledgements

Special thanks to the security team of an undisclosed customer.