BlueSpice Helpdesk - User contributions [en]

Security:Security Advisories/BSSA-2023-01

2023-07-25T13:35:24Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2023-07-25
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice Infrastructure: Ghostscript
|-
|Fixed in
|
* Ghostscript 9.53.3 and 10.01.2
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|}

== Problem ==
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.

PDFHandler is not enabled by default, but many installations have set it active.

== Solution ==
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.

If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.

== Resources ==
* For Debian: https://www.debian.org/security/2023/dsa-5446
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2023-01

2023-07-25T12:43:51Z

Mglaser: Ghostscript BSSA

{| class="wikitable"
|+
!
!
|-
|Date
|2023-07-25
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice Infrastructure: Ghostscript
|-
|Fixed in
|
* Ghostscript 9.53.0 and 10.01.2
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|}

== Problem ==
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.

PDFHandler is not enabled by default, but many installations have set it active.

== Solution ==
Upgrade Ghostscript to a fixed version.

If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.

== Resources ==
* For Debian: https://www.debian.org/security/2023/dsa-5446
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories

2022-11-15T08:21:20Z

Mglaser:

{| class="wikitable" style="width:100%;"
!Release name
!Release date
!Title
!References
!Summary
|-
|[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
|2022-01-31
|XSS attack vector in Search Center
|[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
|JavaScript in search field is reflected back to the browser.
|-
|[[Security:Security Advisories/BSSA-2022-02|BSSA-2022-02]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
|Arbitrary HTML injection through the 'title' parameter
|-
|[[Security:Security Advisories/BSSA-2022-03|BSSA-2022-03]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
|Arbitrary HTML injection through main navigation
|-
|[[Security:Security Advisories/BSSA-2022-04|BSSA-2022-04]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789], [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814], [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|Arbitrary HTML injection through user preferences
|-
|[[Security:Security Advisories/BSSA-2022-05|BSSA-2022-05]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
|Arbitrary HTML injection through the book navigation
|-
|[[Security:Security Advisories/BSSA-2022-06|BSSA-2022-06]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
|Arbitrary HTML injection through the custom menu
|-
|[[Security:Security Advisories/BSSA-2022-07|BSSA-2022-07]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
|Arbitrary HTML injection through personal menu items
|-
|[[Security:Security Advisories/BSSA-2022-08|BSSA-2022-08]]
|2022-11-15
|XSS attack vector on regular pages
|[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
|Arbitrary HTML injection through use of interface elements
|}

Security:Security Advisories/BSSA-2022-08

2022-11-15T08:11:52Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice 4.x
* Common User Interface 3.0.x
|-
|Fixed in
|
* BlueSpice 4.2.1
* Common User Interface 3.0.5
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
|}

== Problem ==
Some UI elements of the Common user interface component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).

== Solution ==
Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later.

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-07

2022-11-15T08:11:23Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into a user's personal navigation by editing a menu item. This allows for targeted attacks

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-06

2022-11-15T08:11:00Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into custom navigation by editing a menu item.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-05

2022-11-15T08:10:35Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into book navigation by editing a book chapter title.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-04

2022-11-15T08:10:06Z

Mglaser:

{| class="wikitable" style=""
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814]
* [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|}

== Problem ==
Logged in users are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-03

2022-11-15T08:09:17Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-15
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into main navigation by editing a menu item.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-08

2022-11-11T16:12:17Z

Mglaser: Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-11-08 |- |Severity |Medium |- |Affected | * BlueSpice 4.x * Common User Interface 3.0.x |- |Fixed in | * BlueSpice 4.2.1 * Common Us..."

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice 4.x
* Common User Interface 3.0.x
|-
|Fixed in
|
* BlueSpice 4.2.1
* Common User Interface 3.0.5
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3895 CVE-2022-3895]
|}

== Problem ==
Some UI elements of the Common user interface component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).

== Solution ==
Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later.

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-07

2022-11-11T15:57:30Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3958 CVE-2022-3958]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into a user's personal navigation by editing a menu item. This allows for targeted attacks

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-05

2022-11-11T15:50:51Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-42001 CVE-2022-42001]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into book navigation by editing a book chapter title.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-06

2022-11-11T15:48:50Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-3893 CVE-2022-3893]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into custom navigation by editing a menu item.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-04

2022-11-11T15:40:10Z

Mglaser:

{| class="wikitable" style=""
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41814 CVE-2022-41814]
* [https://www.cve.org/CVERecord?id=CVE-2022-42000 CVE-2022-42000]
|}

== Problem ==
Logged in users are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-07

2022-11-11T15:21:47Z

Mglaser: Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-11-08 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |BlueSpice 4.2.1 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-..."

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-416XX CVE-2022-416XX]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into a user's personal navigation by editing a menu item. This allows for targeted attacks

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-06

2022-11-11T15:20:46Z

Mglaser: Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-11-08 |- |Severity |Low |- |Affected |BlueSpice 4.x |- |Fixed in |BlueSpice 4.2.1 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-202..."

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-416XX CVE-2022-416XX]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into custom navigation by editing a menu item.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-05

2022-11-11T15:19:16Z

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-41XXX CVE-2022-41XXXX]
|}

== Problem ==
Users with edit rights are able to inject arbitrary HTML (XSS) into book navigation by editing a book chapter.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-04

2022-11-11T15:18:06Z

Mglaser:

{| class="wikitable" style=""
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
|}

== Problem ==
Logged in users are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-04

2022-11-11T15:16:38Z

Mglaser: Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-11-08 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |BlueSpice 4.2.1 |- |CVE | * [https://www.cve.org/CVERecord?id=C..."

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
* [https://www.cve.org/CVERecord?id=CVE-2022-41789 CVE-2022-41789]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into several locations in the main interface by editing their user preferences.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-03

2022-11-08T16:15:19Z

{| class="wikitable"
|+
!
!
|-
|Date
|2022-11-08
|-
|Severity
|Low
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.2.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-41611 CVE-2022-41611]
|}

== Problem ==
Users with admin rights are able to inject arbitrary HTML (XSS) into main navigation by editing a menu item.

== Solution ==
Upgrade to BlueSpice 4.2.1

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2022-02

2022-07-22T19:59:52Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-04-25
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|4.1.3
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-2511 CVE-2022-2511]
|}

== Problem ==
Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the <code>title</code> parameter. This can be triggered via URL.

== Solution ==
Upgrade to BlueSpice 4.1.3

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer

Security:Security Advisories/BSSA-2022-01

2022-07-22T19:57:56Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-01-31
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 3.x, BlueSpice 4.x
|-
|Fixed in
|BlueSpice 3.2.9, BlueSpice 4.1.1
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2022-2510 CVE-2022-2510]
|}

== Problem ==
Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

== Solution ==
Upgrade to BlueSpice 4.1.1

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer

Security:Security Advisories

2022-07-22T19:56:25Z

Mglaser:

Security:Security Advisories/BSSA-2022-01

2022-03-24T14:33:10Z

Mglaser:

{| class="wikitable"
|+
!
!
|-
|Date
|2022-01-31
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 3.x, BlueSpice 4.x
|-
|Fixed in
|BlueSpice 3.2.9, BlueSpice 4.1.1
|}

== Problem ==
Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

== Solution ==
Upgrade to BlueSpice 4.1.1

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer

Security:Security Advisories

2022-03-24T10:55:26Z

Mglaser:

SocialEntity:323

2022-03-24T10:54:20Z

Mglaser:

{
"wikipageid": 1704,
"namespace": 0,
"titletext": "Security:Security Advisories/BSSA-2022-01",
"description": "",
"parentid": 0,
"id": 323,
"ownerid": 16,
"type": "wikipage",
"archived": false,
"tags": [
"Security:Security Advisories/BSSA-2022-01"
],
"resolved": false
}

Security:Security Advisories/BSSA-2022-01

2022-03-24T10:54:20Z

Mglaser: Created page with "{| class="wikitable" |+ ! ! |- |Date |2022-01-31 |- |Severity |Medium |- |Affected |BlueSpice 4.x |- |Fixed in |BlueSpice 4.1.2 |} == Problem == Users are able to inject arbi..."

{| class="wikitable"
|+
!
!
|-
|Date
|2022-01-31
|-
|Severity
|Medium
|-
|Affected
|BlueSpice 4.x
|-
|Fixed in
|BlueSpice 4.1.2
|}

== Problem ==
Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

== Solution ==
Upgrade to BlueSpice 4.1.2

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer

Security:Security Advisories

2022-03-24T10:43:24Z

Mglaser: Add information about XSS attack vulnerability

{| class="wikitable" style="width:100%;"
!Release name
!Release date
!Title
!References
!Summary
|-
|[[Security:Security Advisories/BSSA-2022-01|BSSA-2022-01]]
|2022-01-31
|XSS attack vector in Search Center
|CVE-???
|JavaScript in search field is reflected back to the browser.
|-
|
|
|
|
|
|-
|
|
|
|
|
|-
|
|
|
|
|
|-
|
|
|
|
|
|}

User:Mglaser

2022-03-24T10:29:15Z

Mglaser: create user page