Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the
title parameter. This can be triggered via URL.
Upgrade to BlueSpice 4.1.3
Special thanks to the security team of an undisclosed customer