No edit summary |
No edit summary |
||
| Line 26: | Line 26: | ||
== Problem == | == Problem == | ||
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change. | |||
== Solution == | == Solution == | ||
* BlueSpice 4: Update to version 4.3.3 | * BlueSpice 4: Update to version 4.3.3 | ||
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1] | * BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1] | ||
== Acknowledgements == | == Acknowledgements == | ||
Special thanks to the security team of an undisclosed customer. | Special thanks to the security team of an undisclosed customer. | ||
Latest revision as of 12:56, 30 October 2023
| Date | 2023-10-30 |
| Severity | Low |
| Affected |
|
| Fixed in |
|
| CVE | CVE-2023-42431 |
Problem
When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
Solution
- BlueSpice 4: Update to version 4.3.3
- BlueSpice 3: Update Extension:BlueSpiceAvatars version 3.2.10.1
Acknowledgements
Special thanks to the security team of an undisclosed customer.
Discussions