Potential XSS on default page header
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS in BlueSpiceDiscovery allows authenticated editors to inject arbitrary HTML into the page header, fixed in BlueSpice 4.2.1.
Vulnerability
A stored Cross-site Scripting (XSS) vulnerability exists in the BlueSpiceDiscovery skin of BlueSpice. A logged-in user with edit permissions can inject arbitrary HTML into the default page header of a wiki page. The affected version is BlueSpice 4.x prior to 4.2.1 [1].
Exploitation
An attacker needs a valid account with edit permissions on the wiki. No additional privileges are required; the attacker can craft malicious HTML payloads and save them via the user preference interface, which then renders in the page header for other users [1].
Impact
Successful exploitation allows the attacker to inject arbitrary HTML or JavaScript into the context of the victim's browser session. This can lead to session hijacking, defacement, or phishing attacks within the BlueSpice environment, affecting confidentiality, integrity, and availability of user data [1].
Mitigation
BlueSpice has released a fixed version 4.2.1 that addresses this vulnerability. Users should upgrade to BlueSpice 4.2.1 or later. No workarounds are provided in the advisory [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.