Headline
CVE-2022-2511: Security:Security Advisories/BSSA-2022-02 - BlueSpice Wiki
Cross-site Scripting (XSS) vulnerability in the “commonuserinterface” component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.
Date
2022-04-25
Severity
Medium
Affected
BlueSpice 4.x
Fixed in
4.1.3
Problem
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.
Solution
Upgrade to BlueSpice 4.1.3
Acknowledgements
Special thanks to the security team of an undisclosed customer