| [quality revision] | [quality revision] |
m ((username removed) (log details removed)) |
Tag: 2017 source edit |
||
| Line 15: | Line 15: | ||
|Fixed in | |Fixed in | ||
|4.1.3 | |4.1.3 | ||
| + | |- | ||
| + | |CVE | ||
| + | |[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511] | ||
|} | |} | ||
Latest revision as of 21:59, 22 July 2022
| Date | 2022-04-25 |
| Severity | Medium |
| Affected | BlueSpice 4.x |
| Fixed in | 4.1.3 |
| CVE | CVE-2022-2511 |
Problem[edit | edit source]
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.
Solution[edit | edit source]
Upgrade to BlueSpice 4.1.3
Acknowledgements[edit | edit source]
Special thanks to the security team of an undisclosed customer
Discussions