| Summary | Possible stored XSS in news teasers via video teaser url |
|---|---|
| Advisory Release Date |
|
| Product | Linchpin Enterprise News Linchpin Intranet Suite |
Affected Versions | Linchpin Enterprise News 2.23.3 and all prior versions Linchpin Intranet Suite 5.9.4 and all prior versions |
| Fixed Versions | Linchpin Enterprise News 2.23.4 Linchpin Intranet Suite 5.9.5 |
🔍 Problem
This issue was discovered via the Atlassian bug bounty program.
The researcher could identify that a user could possibly insert XSS via the news teaser video url of any news article and execute it inside the news hub.
Affected are the apps Linchpin Intranet Suite up to and including version 5.9.4 and Linchpin Enterprise News up to and including version 2.23.3.
❗️Severity
The vulnerability is rated as 8.7 according to CVSS. The score is calculated as CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N [8.7]
✅ Solution
For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.23.4 or newer.
For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 5.9.5 or newer.
Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.
Link to this page: https://seibert.biz/20240726cve-lenxss