Affected version
Introduced with 6eae497 on 16.04.2020, which is first included in the 3.2 release.
Has been patched in version 3.3 ( in commit f3809fc, merged in master on 20.11.2020)
Impact
Due to unsufficient user input validation and escaping it is vulnerable
to persistant cross-site scripting (XSS).
In the web applications users can enter rich text in various places, e.g.
for personal notes or in motions. These fields can be used to store arbitrary
JavaScript Code that will be executed when other users read the respective
text.
An attacker could utilize this vulnerability be used to manipulate votes
of other users, hijack the moderators session or simply disturb the
meeting.
References
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-043.txt
For more information
See contact options on openslides.com
Affected version
Introduced with 6eae497 on 16.04.2020, which is first included in the 3.2 release.
Has been patched in version 3.3 ( in commit f3809fc, merged in master on 20.11.2020)
Impact
Due to unsufficient user input validation and escaping it is vulnerable
to persistant cross-site scripting (XSS).
In the web applications users can enter rich text in various places, e.g.
for personal notes or in motions. These fields can be used to store arbitrary
JavaScript Code that will be executed when other users read the respective
text.
An attacker could utilize this vulnerability be used to manipulate votes
of other users, hijack the moderators session or simply disturb the
meeting.
References
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-043.txt
For more information
See contact options on openslides.com