Date 2022-04-25
Severity Medium
Affected BlueSpice 4.x
Fixed in 4.1.3
CVE CVE-2022-2511

Problem[edit | edit source]

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

Solution[edit | edit source]

Upgrade to BlueSpice 4.1.3

Acknowledgements[edit | edit source]

Special thanks to the security team of an undisclosed customer

No categories assignedEdit