Potential XSS in common user interface component library

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Common User Interface (CUI) component of BlueSpice 4.x (CUI 3.0.x versions prior to 3.0.5). Some UI elements fail to properly sanitize output, allowing arbitrary HTML injection [1]. The vulnerability affects BlueSpice 4.x with CUI 3.0.x up to, but not including, 3.0.5 [1].

Exploitation

An attacker needs to be able to inject malicious script or HTML into UI elements processed by the Common User Interface component. The exact attack vector is not detailed in the available references, but the issue lies in the lack of output sanitization, suggesting that user-controllable data is rendered without proper escaping [1]. This could be exploited via any input field or data source that feeds into the vulnerable UI elements.

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session. This could lead to data theft, session hijacking, or defacement, depending on the attacker's goals and the victim's privileges within the BlueSpice application [1].

Mitigation

The issue is fixed in Common User Interface 3.0.5, which is included in BlueSpice 4.2.1 or later [1]. Users should upgrade to BlueSpice 4.2.1 or ensure CUI is updated to 3.0.5 or later. The vulnerability was discovered during an internal security audit [1].