It was potentially possible to execute Javascript code using the space name within the "highlighted news" settings.
Advisory Release Date
Product
Linchpin Enterprise News
Linchpin Intranet Suite
Affected Versions
Linchpin Enterprise News 2.22.6 and all prior versions
Linchpin Intranet Suite 5.8.4 and all prior versions
Fixed Versions
Enterprise News Bundle 2.22.7
Linchpin Suite 5.8.5
🔍 Problem
This issue was discovered by Jafar Abo Nadavia the Atlassian bug bounty program.
The researcher was able to identify that an attacker could potentially inject executable Javascript code within the "highlighted news" settings and that said code was then reflected to the viewing user.
Affected are the apps Linchpin Enterprise News up to and including version 2.22.6 and Linchpin Intranet Suite up to and including version 5.8.4.
Update to Linchpin Enterprise News 2.22.7 or later.
For Linchpin Intranet Suite customers:
Update to Linchpin Suite 5.8.5 or later.
Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team athttps://seibert.biz/help.