BSSA-2022-08

Date 2022-11-15
Severity Medium
Affected
  • BlueSpice 4.x
  • Common User Interface 3.0.x
Fixed in
  • BlueSpice 4.2.1
  • Common User Interface 3.0.5
CVE CVE-2022-3895

Problem

Some UI elements of the Common user interface component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).

Solution

Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later.

Acknowledgements

Found during an internal security audit.