Potential XSS on custom menu navigation
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in BlueSpiceCustomMenu allows admin users to inject arbitrary HTML into custom navigation.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the BlueSpiceCustomMenu extension of BlueSpice. Users with admin permissions can inject arbitrary HTML into the custom menu navigation of the application. This affects BlueSpice 4.x before version 4.2.1 [1].
Exploitation
An attacker must have admin permissions on the BlueSpice instance. The attacker edits a menu item in the custom menu and inserts malicious HTML code, which is stored and rendered when other users view the navigation [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the context of other users' browsers, potentially leading to session hijacking, defacement, or other malicious actions. The impact is limited by the admin-only precondition [1].
Mitigation
The vulnerability is fixed in BlueSpice 4.2.1. Users should upgrade to this version or later. As a workaround, limit admin privileges to trusted users only [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.