Announcement/XSS attack and Manual:Extension/BlueSpiceReaders: Difference between pages

(Difference between pages)
VisualWikitext
m ((username removed) (log details removed))
 
No edit summary
 
Line 1: Line 1:
{{Featurepage|featured=true|featuredesc=Patch Release 4.1.3 contains an important '''security fix''' for a “reflected XSS” attack. <span class="bi bi-exclamation-circle-fill" style="color:orange"></span>|featurestart=04/25/2022}}
{{DISPLAYTITLE:Page info: readers}}
==Event==
XSS attack vector in ''mwstake/mediawiki-component-commonuserinterface.'' 


== Evaluation of the vulnerability in BlueSpice ==
The extension '''Readers''' displays the readers of a wiki page.
The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item').


[[Setup:Release Notes#4.1.3|Patch release 4.1.3]] contains an important security-fix for this attack.
==Viewing the readers of a page==
Users must have admin rights to see the readers of a page. The list of readers is shown on the page information, which can be accessed from the [[Manual:Extension/BlueSpiceDiscovery#Page tools|page tools.]]
<br />
[[File:Manual:PageInformation Reader.png|link=link=Special:FilePath/Readers1a.png|alt=|center|thumb|336x336px|Readers in the page information flyout]]


The [[Security:Security_Advisories/BSSA-2022-02|corresponding CVE entry]] is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible.


[[de:Meldung/XSS attack]]
Admin users can also access the page ''Special:Readers/Page_Name''. This special page shows the list of all readers of a page with the date of their last visit.
[[en:{{FULLPAGENAME}}]]
<br />
==Configuration==
In the [[Manual:Extension/BlueSpiceConfigManager|Config manager]], wiki admins can change the settings for this feature. Here, the number of readers to be shown in the flyout can be changed (defaults to 10).
 
<br />
[[File:Manual:Readers2a.png|alt=|center|thumb|Configuration of BlueSpiceReaders|381x381px]]
{{Box Links-en|Topic1=[[Reference:BlueSpiceReaders]]}}
{{Translation}}
__FORCETOC__
[[Category:Page tools]]

Latest revision as of 17:17, 20 May 2022


The extension Readers displays the readers of a wiki page.

Viewing the readers of a page

Users must have admin rights to see the readers of a page. The list of readers is shown on the page information, which can be accessed from the page tools.

Readers in the page information flyout


Admin users can also access the page Special:Readers/Page_Name. This special page shows the list of all readers of a page with the date of their last visit.

Configuration

In the Config manager, wiki admins can change the settings for this feature. Here, the number of readers to be shown in the flyout can be changed (defaults to 10).


Configuration of BlueSpiceReaders

Related info



To submit feedback about this documentation, visit our community forum.

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Announcement/XSS_attack&oldid=3744"

Discussions