SummaryPossible XSS code execution via the magazine's "link" module
Advisory Release Date


  • Linchpin Enterprise News
  • Linchpin Intranet Suite

Affected Versions

Linchpin Enterprise News:

  • 2.16.1 and earlier

Linchpin Intranet Suite:

  • 5.0.0 and earlier
Fixed Versions

Linchpin Enterprise News:

  • 2.16.2

Linchpin Intranet Suite:

  • 5.0.1


We were able to identify a security vulnerability in our Linchpin Enterprise News app: Users could potentially add external links to a magazine with the use of the "link" module. This could lead to an execution of a javascript: code if the user (who would need the permission to create and edit magazines) inserted the code multiple times, as not all links were successfully filtered out by the app.

All versions of the app Linchpin Enterprise News up to and including 2.16.1 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 5.0.0.


The vulnerability has been rated as High (8.7) according to the scale published under the Common Vulnerability Scoring System (CVSS).


For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 5.0.1 or newer.

For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.16.2 or newer.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at

A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.

This content was last updated on 07/23/2021.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete. Please click this link if you want us to update this page. Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with if you are in doubt, have a question, suggestion, or want changes from us.