Potential XSS in comment section
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in BlueSpiceSocialProfile extension allows authenticated users with comment permissions to inject arbitrary HTML.
Vulnerability
The BlueSpiceSocialProfile extension for BlueSpice 4.x contains a stored cross-site scripting (XSS) vulnerability. Authenticated users with comment permissions can inject arbitrary HTML into the comment section of a wikipage due to insufficient sanitization. Affected: BlueSpice 4.x prior to 4.2.1 [1].
Exploitation
An attacker needs a valid account with comment permissions. The attacker posts a crafted comment containing malicious HTML/JavaScript. No additional user interaction is required; the payload executes when any user views the comment.
Impact
Successful exploitation results in arbitrary JavaScript execution in the viewer's browser context. This can lead to session hijacking, defacement, or phishing attacks. The XSS is stored, affecting all users who view the malicious comment.
Mitigation
Upgrade to BlueSpice 4.2.1, released on 2022-11-15, which fixes this vulnerability [1]. No workarounds are documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.