Summary | It was potentially possible to inject executable Javascript code within the Linchpin Teaser macro, Headline with menu macro and the Linchpin Navigation menu |
---|---|
Advisory Release Date | 2022-08-29 |
Product | Linchpin Essentials |
Affected Versions | Linchpin Intranet Suite 5.3.1 and all prior versions Linchpin Essentials 2.3.1 and all prior versions |
Fixed Versions | Linchpin Intranet Suite 5.3.2 Linchpin Essentials 2.3.2 |
Problem
The issues were discovered by visat via the Atlassian bug bounty program. The researcher could identify that an attacker could potentially inject executable Javascript code within the Linchpin Teaser macro, Headline with menu macro and the Linchpin Navigation menu then was reflected to the viewing user.
Affected are the apps Linchpin Intranet Suite up to and including version 5.3.1 and Linchpin Essentials up to and including version 2.3.1.
Severity
Each vulnerability is rated as 8.7 according to CVSS. The score is calculated as CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N.
Solution
For Linchpin Essentials customers: Update to Linchpin Essentials 2.3.2 or later.
For Linchpin Suite customers: Update to Linchpin Suite 5.3.2 or later.
Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.
Link to this page: https://seibert.biz/20220829cveltpxss