No edit summary |
No edit summary |
||
| Line 5: | Line 5: | ||
|- | |- | ||
|Date | |Date | ||
|2022- | |2022-04-25 | ||
|- | |- | ||
|Severity | |Severity | ||
| Line 11: | Line 11: | ||
|- | |- | ||
|Affected | |Affected | ||
| | |BlueSpice 4.x | ||
|- | |- | ||
|Fixed in | |Fixed in | ||
| | |4.1.3 | ||
|} | |} | ||
== Problem == | == Problem == | ||
Users are able to inject arbitrary HTML (XSS) on | Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <nowiki><code>title</code></nowiki> parameter. This can be triggered via URL. | ||
== Solution == | == Solution == | ||
Upgrade to BlueSpice 4.1. | Upgrade to BlueSpice 4.1.3 | ||
== Acknowledgements == | == Acknowledgements == | ||
Special thanks to the security team of an undisclosed customer | Special thanks to the security team of an undisclosed customer | ||
Revision as of 16:23, 25 April 2022
| Date | 2022-04-25 |
| Severity | Medium |
| Affected | BlueSpice 4.x |
| Fixed in | 4.1.3 |
Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.
Solution
Upgrade to BlueSpice 4.1.3
Acknowledgements
Special thanks to the security team of an undisclosed customer
