Potential XSS in book navigation
Description
Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in BlueSpiceBookshelf allows users with edit permissions to inject arbitrary HTML into book navigation.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the BlueSpiceBookshelf extension of BlueSpice. Users with a regular account and edit permissions can inject arbitrary HTML into the book navigation by editing a book chapter title. This affects BlueSpice 4.x versions prior to 4.2.1 [1].
Exploitation
An attacker must have a valid user account with edit permissions on a book. The attacker edits a chapter title to include malicious HTML or JavaScript code. The injected code is then rendered in the book navigation interface when other users view the book [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The impact is limited by the scope of the navigation component.
Mitigation
The vulnerability is fixed in BlueSpice version 4.2.1 [1]. Users should upgrade to this version or later. No workarounds are documented. The issue was discovered during an internal security audit.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.