BSSA-2022-01

Revision as of 08:16, 26 April 2022 by Margit Link-Rodrigue (talk | contribs) (Reverted edits by Margit.link-rodrigue (talk) to last revision by Mglaser)
Date 2022-01-31
Severity Medium
Affected BlueSpice 3.x, BlueSpice 4.x
Fixed in BlueSpice 3.2.9, BlueSpice 4.1.1

Problem

Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

Solution

Upgrade to BlueSpice 4.1.1

Acknowledgements

Special thanks to the security team of an undisclosed customer