Security:Security Advisories/BSSA-2022-04 and Security:Security Advisories/BSSA-2022-05: Difference between pages

(Difference between pages)
VisualWikitext
No edit summary
Tag: 2017 source edit
 
No edit summary
Tag: 2017 source edit
 
Line 1: Line 1:
{| class="wikitable" style=""
{| class="wikitable"
|+
|+
!
!
Line 17: Line 17:
|-
|-
|CVE
|CVE
|
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814]
* [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|}
|}


== Problem ==
== Problem ==
Logged in users are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.
Users with edit rights are able to inject arbitrary HTML (XSS) into book navigation by editing a book chapter title.


== Solution ==
== Solution ==

Revision as of 17:50, 11 November 2022

Date 2022-11-08
Severity Low
Affected BlueSpice 4.x
Fixed in BlueSpice 4.2.1
CVE CVE-2022-42001

Problem

Users with edit rights are able to inject arbitrary HTML (XSS) into book navigation by editing a book chapter title.

Solution

Upgrade to BlueSpice 4.2.1

Acknowledgements

Found during an internal security audit.

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2022-04&oldid=5225"
No categories assignedEdit

Discussions