Security:Security Advisories/BSSA-2022-02: Difference between revisions

VisualWikitext
(Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-04-25 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |4.1.3 |} == Problem == Users are able to inject arbitrary HTML...")
Tag: 2017 source edit
 
m ((username removed) (log details removed))
(2 intermediate revisions by the same user not shown)
Line 18: Line 18:


== Problem ==
== Problem ==
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <nowiki><code>title</code></nowiki> parameter. This can be triggered via URL.
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.


== Solution ==
== Solution ==

Revision as of 12:06, 26 April 2022

Date 2022-04-25
Severity Medium
Affected BlueSpice 4.x
Fixed in 4.1.3

Problem

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

Solution

Upgrade to BlueSpice 4.1.3

Acknowledgements

Special thanks to the security team of an undisclosed customer

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Security:Security_Advisories/BSSA-2022-02&oldid=3338"
No categories assignedEdit

Discussions