Security:Security Advisories/BSSA-2022-01: Difference between revisions

No edit summary
No edit summary
Line 5: Line 5:
|-
|-
|Date
|Date
|2022-01-31
|2022-04-25
|-
|-
|Severity
|Severity
Line 11: Line 11:
|-
|-
|Affected
|Affected
|BlueSpice 3.x, BlueSpice 4.x
|BlueSpice 4.x
|-
|-
|Fixed in
|Fixed in
|BlueSpice 3.2.9, BlueSpice 4.1.1
|4.1.3
|}
|}


== Problem ==
== Problem ==
Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <nowiki><code>title</code></nowiki> parameter. This can be triggered via URL.


== Solution ==
== Solution ==
Upgrade to BlueSpice 4.1.1
Upgrade to BlueSpice 4.1.3


== Acknowledgements ==
== Acknowledgements ==
Special thanks to the security team of an undisclosed customer
Special thanks to the security team of an undisclosed customer

Revision as of 16:23, 25 April 2022

Date 2022-04-25
Severity Medium
Affected BlueSpice 4.x
Fixed in 4.1.3

Problem

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.

Solution

Upgrade to BlueSpice 4.1.3

Acknowledgements

Special thanks to the security team of an undisclosed customer