Security release 2.23.1.1, and how to report vulnerabilities

Yesterday, we published the security release BlueSpice 2.23.1.1. Community user Frederic Mohr had reported a severe cross-site-scripting vulnerability with the Shoutbox, where arbitrary JavaScript code could be inserted in the box and would be executed on each page load. The fix he provided contains a minor change in the input handling. The new release fixes this vulnerability. There’s also a patch available for BlueSpice 2.23.1. The monthly release also contains the patch. Downloads and patches can be found at Sourceforge.

We highly recommend to update or patch your existing BlueSpice installations.

I want to thank Frederic for his support! And I’d like to take this chance to sketch out how we handle vulnerability reports. Usually, bugs are reported in our public forum. However, reporting a security related issue also means publishing the vulnerability right away, without giving us the chance to patch the software. Because of this, I ask you to report security issues directly to me by email: glaser@hallowelt.com. If possible, please encrypt the actual description of the vulnerability with GPG. My public key can be found on the MIT keyserver. We will then contact you, verify the vulnerability and provide a patch. After the patch is released, we will request a CVE number to have this properly documented. Of course, credits for finding the vulnerability go to the person that reported it.

One Comment to “Security release 2.23.1.1, and how to report vulnerabilities”

  1. […] release of new version on download page and/or customer notification 2015-07-02: Vendor published customer security notification 2015-07-09: LastBreach releases […]


Leave a Reply