Date | 2022-04-25 |
Severity | Medium |
Affected | BlueSpice 4.x |
Fixed in | 4.1.3 |
CVE | CVE-2022-2511 |
1. Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title
parameter. This can be triggered via URL.
2. Solution
Upgrade to BlueSpice 4.1.3
3. Acknowledgements
Special thanks to the security team of an undisclosed customer