CVE-2022-30278: Product Security Advisory: Reflected cross-site scripting in Black Duck Hub | Synopsys

Posted by on Monday, May 9, 2022

CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files.

CVE: CVE-2022-30278
Severity: High (7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
First Published: May 9, 2022
Last Updated: May 9, 2022

Summary

A vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files could allow an unauthenticated remote attacker to conduct a cross-site scripting attack.

The vulnerability is due to improper validation of user-supplied input to MadCap Flare’s framework embedded within Black Duck Hub’s help documentation. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface, letting the attacker conduct cross-site scripting attacks and gain access to sensitive browser-based information.

CVE-2022-30278 was addressed in the 2022.4.0 version of Black Duck Hub that was released on April 28, 2022, and can be found here: https://github.com/blackducksoftware/hub/releases/tag/v2022.4.0

Remediation

If your installation is hosted by Synopsys, Black Duck Hub was automatically patched during emergency maintenance without downtime on May 5, 2022.

If you are using an installation that is not hosted by Synopsys, you are advised to upgrade to the latest version as soon as possible. If you’re unable to do this for any reason, please submit a support case via https://community.synopsys.com/s/contactsupport

Subscribe to the blog for the latest AppSec news

Subscribe now