Security:Security Advisories/BSSA-2022-04 and Manual:Extension/BlueSpiceCustomMenu: Difference between pages

(Difference between pages)
No edit summary
Tag: 2017 source edit
 
No edit summary
 
Line 1: Line 1:
{| class="wikitable" style=""
{{DISPLAYTITLE:Custom menu}}
|+
==Overview==
!
In BlueSpice 4, an additional custom menu is integrated as a mega menu. This menu can be created and edited by users with admin rights. The link-icon (1) is only displayed once the corresponding page has been created.
!
|-
|Date
|2022-11-15
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814]
* [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|}


== Problem ==
If you don't see the menu icon in your wiki, create the following page: <span style="color: rgb(37, 37, 37); font-family: monospace, Courier; font-size: 13.125px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(233, 233, 238); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">MediaWiki:CustomMenu/Header</span>
Logged in users are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.


== Solution ==
[[File:Manual:customMenu-view-EN.png|alt=Custom menu screenshot|center|thumb|750x750px|Custom menu: (1) open menu, (2) edit link, (3) menu items]]
Upgrade to BlueSpice 4.2.1


== Acknowledgements ==
==Visual edit mode==
Found during an internal security audit.
{{BSVersion|bsvFrom=4.2|bsvTo=|bsvFeature=Visual menu editor}}
 
After creating the necessary page, you can now edit the menu.
 
'''Click''' ''Edit menu'' (2) to switch to edit mode.
 
If you are just starting out with the custom menu, you can start by editing the default ''Nav Menu'' item.
[[File:BlueSpiceCustomMenu navmenu item.png|alt=editing interface|center|thumb|'''editing interface:''' menu header (1), edit header name (2), add link to heading (3), add new menu header (4)]]
 
 
'''To  edit the NavMenu item:'''
 
#'''Click''' the icon for opening the edit dialog. (1)
#'''Click''' ''Edit Node.''
#'''Enter''' the text for your menu header. In a multilingual wiki, you can also enter a [[mediawikiwiki:Help:System_message|message key]].
 
{{#dpl: title=Manual:Extension/BlueSpiceDiscovery/Main_navigation|include=menulinks}}
 
== <span class="mw-headline">Adding links in source editing mode</span> ==
'''To create a menu header:'''
#'''Create''' the first menu header. Menu headers are marked with a single asterisk (*);<syntaxhighlight lang="text">
* Important pages
</syntaxhighlight>
#'''Add''' the links for this menu header. Links are marked with two asterisks (**) and have the following syntax:<syntaxhighlight lang="text">
** target page|label
</syntaxhighlight>
'''Example:'''<pre>* Important pages
** Special:Blog|Blog
** IMS:Policies|Policies
* BlueSpice
** https://bluespice.com|BlueSpice Homepage
** https://bluespice.com/category/news-know-how|News</pre>
After the custom menu has been created, it can now be modified directly via the ''Edit menu'' link (see screenshot above).
==Delete the custom menu==
To remove the custom menu link-icon from the wiki, the <code>MediaWiki:CustomMenu/Header</code> page must be deleted. The page can be restored via the deletion log.
{{Box Links-en|Topic1=[[Manual:Extension/BlueSpiceDiscovery/Main_navigation|Customize the main navigation]]|Topic2=[[Manual:Extension/BlueSpiceUserSidebar|Customize the user menu]]|Topic3=[[Reference:BlueSpiceCustomMenu]]}}
{{Translation}}
[[Category:Customization]]

Revision as of 14:40, 3 March 2023

Overview

In BlueSpice 4, an additional custom menu is integrated as a mega menu. This menu can be created and edited by users with admin rights. The link-icon (1) is only displayed once the corresponding page has been created.

If you don't see the menu icon in your wiki, create the following page: MediaWiki:CustomMenu/Header

Custom menu screenshot
Custom menu: (1) open menu, (2) edit link, (3) menu items

Visual edit mode

Visual menu editor is available from BlueSpice 4.2.


After creating the necessary page, you can now edit the menu.

Click Edit menu (2) to switch to edit mode.

If you are just starting out with the custom menu, you can start by editing the default Nav Menu item.

editing interface
editing interface: menu header (1), edit header name (2), add link to heading (3), add new menu header (4)


To edit the NavMenu item:

  1. Click the icon for opening the edit dialog. (1)
  2. Click Edit Node.
  3. Enter the text for your menu header. In a multilingual wiki, you can also enter a message key.


Adding links in source editing mode

To create a menu header:

  1. Create the first menu header. Menu headers are marked with a single asterisk (*);
    * Important pages
    
  2. Add the links for this menu header. Links are marked with two asterisks (**) and have the following syntax:
    ** target page|label
    

Example:

* Important pages
** Special:Blog|Blog
** IMS:Policies|Policies
* BlueSpice
** https://bluespice.com|BlueSpice Homepage
** https://bluespice.com/category/news-know-how|News

After the custom menu has been created, it can now be modified directly via the Edit menu link (see screenshot above).

Delete the custom menu

To remove the custom menu link-icon from the wiki, the MediaWiki:CustomMenu/Header page must be deleted. The page can be restored via the deletion log.

Related info

Discussions