| Summary | Possible JavaScript code execution in Cover Stories macro |
|---|---|
| Advisory Release Date |
|
| Product |
|
Affected Versions | Linchpin Enterprise News:
Linchpin Intranet Suite:
|
| Fixed Versions | Linchpin Enterprise News:
Linchpin Intranet Suite:
|
Problem
We were able to identify a security vulnerability in our Linchpin Enterprise News app: If you create a blogpost with specially prepared titles, Javascript code gets executed when the blogpost is rendered inside the Cover Stories macro.
All versions of the app Linchpin Enterprise News up to and including 2.15.4 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 4.1.3.
Severity
The vulnerability has been rated as High (8.7) according to the scale published under the Common Vulnerability Scoring System (CVSS).
Solution
For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 4.1.4 or newer.
For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.15.5 or newer.
Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.
A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.
Link to this page: https://seibert.biz/kbsecuritynotice21-05-len