CVE-2022-41789 BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage.

This can be exploited to perform cross-site scripting (XSS) attacks. An attacker can inject malicious HTML code into a vulnerable system by forcing user to visit a malicious website.

In order to exploit this vulnerability, an attacker must be able to force a user to visit a malicious website. This might be possible if user has weak password that is easy to guess or user browses to malicious website through a web browser with vulnerabilities such as cross-site scripting (XSS) or other social engineering techniques.
XSS can be used to steal sensitive information or attempt a phishing attack.

BlueSpice Discovery
CVE - 2016 - 1491 - XSS - Information disclosure occurs when log data is transmitted outside the intended system boundary (usually via the Internet) and an attacker is able to access that data. This can be done through various means, such as compromising the security of the data transmission channel.
Redis - XSS - Redis is a key-value data store program. Redis is often used as a caching server to speed up website access times. Redis also offers some basic data storage features, such as the ability to store a small set of key-value pairs. Redis does not provide a security mechanism to protect against data injection attacks like other data storage systems. Therefore, Redis is a high-risk Redis - XSS - Redis is a key-value data store program. Redis is often used as a caching server to

Testing Environment

The following is a list of tools and scripts to help test for XSS vulnerabilities.

1) Burp Suite - This is a popular open-source tool that is used for testing web applications. It offers an integrated set of tools to perform a variety of tasks, such as crawling the application, intercepting and modifying requests, fuzzing attacks, and more.
2) OWASP Testing Tool - This tool can be used to generate payloads and explore options in order to discover potential vulnerabilities.
3) Fiddler - Fiddler is another popular open-source tool that can be used to test for web applications with different types of vulnerabilities. Fiddler has simple interface that allows users to intercept requests, modify responses, view source code, etc.
4) PhantomJS - PhantomJS is an open-source headless browser developed by Mozilla that allows users to navigate the web without having to worry about any graphical user interfaces or taking up system resources (RAM). Users simply need to create scripts that follow the standard JavaScript syntax and pass them into the PhantomJS scriptable API in order to have it execute those scripts in the browser window.

Timeline

Published on: 11/15/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:42:00 UTC

References

• https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41789