Lucene search

HWCVELIST:CVE-2023-42431

HistoryOct 30, 2023 - 10:48 a.m.

CVE-2023-42431 Potential XSS on user preferences page

2023-10-3010:48:21

CWE-20

www.cve.org

cve-2023-42431

cross-site scripting

bluespice

user preferences

CVSS3

2.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

EPSS

Percentile

14.0%

JSON

Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "BlueSpice",
    "vendor": "Hallo Welt! GmbH",
    "versions": [
      {
        "lessThanOrEqual": "4.3.2",
        "status": "affected",
        "version": "4",
        "versionType": "major"
      },
      {
        "lessThanOrEqual": "3.2.10",
        "status": "affected",
        "version": "3",
        "versionType": "major"
      }
    ]
  }
]

References

en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02

CVSS3

2.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

EPSS

Percentile

14.0%

JSON

Related for CVELIST:CVE-2023-42431