No edit summary |
No edit summary Tag: 2017 source edit |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
{{Featurepage|featured= | {{Featurepage|featured=false|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}} | ||
{| class="wikitable" | {| class="wikitable" | ||
|+ | |+ | ||
Line 26: | Line 26: | ||
== Problem == | == Problem == | ||
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change. | |||
== Solution == | == Solution == | ||
* BlueSpice 4: Update to version 4.3.3 | * BlueSpice 4: Update to version 4.3.3 | ||
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1] | * BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1] | ||
== Acknowledgements == | == Acknowledgements == | ||
Special thanks to the security team of an undisclosed customer. | Special thanks to the security team of an undisclosed customer. |
Latest revision as of 12:45, 5 July 2024
Date | 2023-10-30 |
Severity | Low |
Affected |
|
Fixed in |
|
CVE | CVE-2023-42431 |
Problem
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
Solution
- BlueSpice 4: Update to version 4.3.3
- BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1
Acknowledgements
Special thanks to the security team of an undisclosed customer.