Revision as of 17:23, 25 April 2022 by Margit Link-Rodrigue (talk | contribs)
| Date | 2022-04-25 |
| Severity | Medium |
| Affected | BlueSpice 4.x |
| Fixed in | 4.1.3 |
Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.
Solution
Upgrade to BlueSpice 4.1.3
Acknowledgements
Special thanks to the security team of an undisclosed customer
Discussions