(Difference between pages)
No edit summary Tag: 2017 source edit |
No edit summary Tag: 2017 source edit |
||
Line 1: | Line 1: | ||
{ | {| class="wikitable" | ||
|+ | |||
! | |||
! | |||
|- | |||
|Date | |||
|2022-04-25 | |||
|- | |||
|Severity | |||
|Medium | |||
|- | |||
|Affected | |||
|BlueSpice 4.x | |||
|- | |||
|Fixed in | |||
|4.1.3 | |||
|} | |||
== | == Problem == | ||
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL. | |||
== Solution == | |||
Upgrade to BlueSpice 4.1.3 | |||
== Acknowledgements == | |||
Special thanks to the security team of an undisclosed customer | |||
Revision as of 09:19, 26 April 2022
Date | 2022-04-25 |
Severity | Medium |
Affected | BlueSpice 4.x |
Fixed in | 4.1.3 |
Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title
parameter. This can be triggered via URL.
Solution
Upgrade to BlueSpice 4.1.3
Acknowledgements
Special thanks to the security team of an undisclosed customer