MidnightBSD

Advisories for hallowelt

CVE-2022-2510

Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security@bluespice.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hallowelt bluespice *
hallowelt bluespice 4.1.0
CVE-2022-2511

Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@bluespice.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-3893

Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-3895

Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).

Products Affected

Vendor Product Version
hallowelt bluespice *
hallowelt common_user_interface *
CVE-2022-3958

Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-41611

Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-41789

Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-41814

Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-42000

Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2022-42001

Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation.

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2023-42431

Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@bluespice.com 2.1 LOW CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N 0.7 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2025-46703

Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2025-48007

Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2025-57880

Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS). This issue affects BlueSpice: from 5 through 5.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *
CVE-2025-58114

Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
hallowelt bluespice *