Date | 2023-10-30 |
Severity | Low |
Affected |
|
Fixed in |
|
CVE | CVE-2023-42431 |
Problem
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
Solution
- BlueSpice 4: Update to version 4.3.3
- BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1
Acknowledgements
Special thanks to the security team of an undisclosed customer.