BSSA-2023-02

Revision as of 11:56, 30 October 2023 by Rvogel (talk | contribs)
Date 2023-10-30
Severity Low
Affected
  • BlueSpiceAvatars
Fixed in
  • BlueSpiceAvatars 4.3.3
  • BlueSpiceAvatars 3.2.10.1
CVE CVE-2023-42431

Problem

When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.

Solution

  • BlueSpice 4: Update to version 4.3.3
  • BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1

Acknowledgements

Special thanks to the security team of an undisclosed customer.