BSSA-2022-02

Revision as of 08:15, 26 April 2022 by Margit Link-Rodrigue (talk | contribs) (Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-04-25 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |4.1.3 |} == Problem == Users are able to inject arbitrary HTML...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Date 2022-04-25
Severity Medium
Affected BlueSpice 4.x
Fixed in 4.1.3

Problem

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.

Solution

Upgrade to BlueSpice 4.1.3

Acknowledgements

Special thanks to the security team of an undisclosed customer