CVE-2022-3958 BlueSpiceUserSidebar extension has XSS flaw that allows user with regular account and edit permissions to inject arbitrary HTML.

CVE-2022-3958 BlueSpiceUserSidebar extension has XSS flaw that allows user with regular account and edit permissions to inject arbitrary HTML.

The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field.

A cross-site scripting (XSS) vulnerability in the BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.

Solution:

Update to the latest version of BlueSpice and disable the “Edit menu” input.

How did I find the vulnerability?

The vulnerability was discovered by a BlueSpice user who has access to the personal menu navigation.

Vulnerability Overview

The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field.

Vulnerability overview

The vulnerability exists within the “Edit menu” input within the personal navigation of your own and other users. If you're able to send a user interaction, you can inject arbitrary HTML into their personal menu.

Vulnerability Details

The XSS flaw exists within the “Edit menu” input. Users with regular account and edit permissions can inject arbitrary HTML into the “Edit menu” field. The vulnerability allows users to insert malicious code into the personal menu of their own or other users.

This vulnerability is an XSS vulnerability in the BlueSpiceUserSidebar extension of BlueSpice with user privileges allowing for targeted attacks.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe