CVE-2023-42431

low-risk

Published 2023-10-30

Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.1/10 Low

ADJACENT_NETWORK / LOW complexity

Affected Products (1)

Bluespice

Affected Vendors

Hallowelt

References (2)

Exploit https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02

/ 100

low-risk

Severity 9/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal