The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field.
A cross-site scripting (XSS) vulnerability in the BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.
Solution:
Update to the latest version of BlueSpice and disable the “Edit menu” input.
How did I find the vulnerability?
The vulnerability was discovered by a BlueSpice user who has access to the personal menu navigation.
Vulnerability Overview
The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field.
Vulnerability overview
The vulnerability exists within the “Edit menu” input within the personal navigation of your own and other users. If you're able to send a user interaction, you can inject arbitrary HTML into their personal menu.
Vulnerability Details
The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field. The vulnerability allows users to insert malicious code into the personal menu of their own or other users.
This vulnerability is an XSS vulnerability in the BlueSpiceUserSidebar extension of BlueSpice with user privileges allowing for targeted attacks.
Timeline
Published on: 11/15/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:43:00 UTC