Potential XSS on sidebar navigation
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in BlueSpiceDiscovery skin allows admin to inject arbitrary HTML into main navigation.
Vulnerability
Cross-site Scripting (XSS) vulnerability exists in the BlueSpiceDiscovery skin of BlueSpice versions 4.x prior to 4.2.1. Users with admin privileges can inject arbitrary HTML into the main navigation by editing a menu item [1].
Exploitation
An attacker must have admin privileges on the affected BlueSpice instance. The attacker can edit a menu item and inject malicious HTML or JavaScript code that will be executed when other users view the main navigation [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML/JavaScript in the context of the main navigation, potentially leading to session hijacking, defacement, or other client-side attacks.
Mitigation
Upgrade to BlueSpice 4.2.1, which was released on 2022-11-15 and contains the fix for this vulnerability [1]. No other workarounds are documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.