SummaryIt was potentially possible to execute Javascript code using the space name within the "highlighted news" settings.
Advisory Release Date

 

Product

Linchpin Enterprise News

Linchpin Intranet Suite

Affected Versions

Linchpin Enterprise News 2.22.6 and all prior versions

Linchpin Intranet Suite 5.8.4 and all prior versions

Fixed Versions

Enterprise News Bundle 2.22.7

Linchpin Suite 5.8.5

🔍 Problem

This issue was discovered by Jafar Abo Nada via the Atlassian bug bounty program.

The researcher was able to identify that an attacker could potentially inject executable Javascript code within the "highlighted news" settings and that said code was then reflected to the viewing user.

Affected are the apps Linchpin Enterprise News up to and including version 2.22.6 and Linchpin Intranet Suite up to and including version 5.8.4.

❗️ Severity

The vulnerability is rated as 8.7 according to CVSS. The score is calculated as 3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

✅ Solution

For Linchpin Enterprise News customers:

Update to Linchpin Enterprise News 2.22.7 or later.


For Linchpin Intranet Suite customers: 

Update to Linchpin Suite 5.8.5 or later.


Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

Link to this page: https://seibert.biz/20240418cvelen2

  • No labels
This page was last edited on 04/18/2024.