(Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-04-25 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |4.1.3 |} == Problem == Users are able to inject arbitrary HTML...") Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
| Line 18: | Line 18: | ||
== Problem == | == Problem == | ||
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the | Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL. | ||
== Solution == | == Solution == | ||
Revision as of 08:19, 26 April 2022
| Date | 2022-04-25 |
| Severity | Medium |
| Affected | BlueSpice 4.x |
| Fixed in | 4.1.3 |
Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.
Solution
Upgrade to BlueSpice 4.1.3
Acknowledgements
Special thanks to the security team of an undisclosed customer
