| Summary | Possible XSS code execution via the magazine's "link" module |
|---|---|
| Advisory Release Date |
|
| Product |
|
Affected Versions | Linchpin Enterprise News:
Linchpin Intranet Suite:
|
| Fixed Versions | Linchpin Enterprise News:
Linchpin Intranet Suite:
|
Problem
We were able to identify a security vulnerability in our Linchpin Enterprise News app: Users could potentially add external links to a magazine with the use of the "link" module. This could lead to an execution of a javascript: code if the user (who would need the permission to create and edit magazines) inserted the code multiple times, as not all links were successfully filtered out by the app.
All versions of the app Linchpin Enterprise News up to and including 2.16.1 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 5.0.0.
Severity
The vulnerability has been rated as High (8.7) according to the scale published under the Common Vulnerability Scoring System (CVSS).
Solution
For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 5.0.1 or newer.
For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.16.2 or newer.
Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.
A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.
Link to this page: https://seibert.biz/kbsecuritynotice21-05-magazine