BSSA-2023-02

Revision as of 12:45, 5 July 2024 by Margit Link-Rodrigue (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Date 2023-10-30
Severity Low
Affected
  • BlueSpiceAvatars
Fixed in
  • BlueSpiceAvatars 4.3.3
  • BlueSpiceAvatars 3.2.10.1
CVE CVE-2023-42431

Problem

When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.

Solution

  • BlueSpice 4: Update to version 4.3.3
  • BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1

Acknowledgements

Special thanks to the security team of an undisclosed customer.