Announcement/XSS attack and Security:Security Advisories/BSSA-2022-02: Difference between pages

Revision as of 09:19, 26 April 2022

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

Upgrade to BlueSpice 4.1.3

Special thanks to the security team of an undisclosed customer

To submit feedback about this documentation, visit our community forum.

@@ Line 1: / Line 1: @@
-{{Featurepage|featured=true|featuredesc=Patch Release 4.1.3 contains an important '''security fix''' for a “reflected XSS” attack. <span class="bi bi-exclamation-circle-fill" style="color:orange"></span>|featurestart=04/25/2022}}
+{| class="wikitable"
-==Event==
+|+
-XSS attack vector in ''mwstake/mediawiki-component-commonuserinterface.''
+!
+!
+|-
+|Date
+|2022-04-25
+|-
+|Severity
+|Medium
+|-
+|Affected
+|BlueSpice 4.x
+|-
+|Fixed in
+|4.1.3
+|}
-== Evaluation of the vulnerability in BlueSpice ==
+== Problem ==
-The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item').
+Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.
-[[Setup:Release Notes#4.1.3|Patch release 4.1.3]] contains an important security-fix for this attack.
+== Solution ==
+Upgrade to BlueSpice 4.1.3
-The [[Security:Security_Advisories/BSSA-2022-02|corresponding CVE entry]] is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible.
+== Acknowledgements ==
+Special thanks to the security team of an undisclosed customer
-[[de:Meldung/XSS attack]]
-[[en:{{FULLPAGENAME}}]]