No edit summary Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
Line 6: | Line 6: | ||
The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item'). | The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item'). | ||
[[Setup:Release Notes#4.1.3|Patch release 4.1.3]] contains an important security-fix for | [[Setup:Release Notes#4.1.3|Patch release 4.1.3]] contains an important security-fix for this attack. | ||
The [Security:Security_Advisories/BSSA-2022-01 corresponding CVE entry] is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible. | The [[Security:Security_Advisories/BSSA-2022-01 corresponding CVE entry]] is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible. | ||
[[de:Meldung/XSS attack]] | [[de:Meldung/XSS attack]] | ||
[[en:{{FULLPAGENAME}}]] | [[en:{{FULLPAGENAME}}]] |
Revision as of 07:22, 26 April 2022
Event
XSS attack vector in mwstake/mediawiki-component-commonuserinterface.
Evaluation of the vulnerability in BlueSpice
The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item').
Patch release 4.1.3 contains an important security-fix for this attack.
The Security:Security_Advisories/BSSA-2022-01 corresponding CVE entry is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible.