Potential XSS in history view
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated editors can inject arbitrary HTML (XSS) into the history view of a wiki page via the BlueSpiceFoundation extension in BlueSpice 4.x.
Vulnerability
A stored Cross-site Scripting (XSS) vulnerability exists in the BlueSpiceFoundation extension of BlueSpice versions 4.x prior to 4.2.1. Users with a regular account and edit permissions can inject arbitrary HTML into the history view of a wikipage [1].
Exploitation
An attacker needs a valid user account with edit permissions and the ability to modify a wiki page's content or its associated metadata. The injected HTML is stored in the page history and is rendered when the history view is loaded by a victim [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML (and potentially JavaScript) in the context of the victim's session, leading to information disclosure, session hijacking, or further account compromise [1].
Mitigation
The vulnerability is fixed in BlueSpice 4.2.1, released on 2022-11-15. All users should upgrade to this version. There is no known workaround for earlier releases [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.