The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

Product Security Advisory: Reflected cross-site scripting in Black Duck Hub

Black Duck Editorial Staff

May 08, 2022 / 1 min read

Table of Contents

CVE: CVE-2022-30278
Severity: High (7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
First Published: May 9, 2022
Last Updated: May 9, 2022

Summary

A vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files could allow an unauthenticated remote attacker to conduct a cross-site scripting attack.

The vulnerability is due to improper validation of user-supplied input to MadCap Flare’s framework embedded within Black Duck Hub’s help documentation. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface, letting the attacker conduct cross-site scripting attacks and gain access to sensitive browser-based information.

CVE-2022-30278 was addressed in the 2022.4.0 version of Black Duck Hub that was released on April 28, 2022, and can be found here: https://github.com/blackducksoftware/hub/releases/tag/v2022.4.0

Remediation

If your installation is hosted by Black Duck Hub, it was automatically patched during emergency maintenance without downtime on May 5, 2022.

If you are using an installation that is not hosted by Black Duck, you are advised to upgrade to the latest version as soon as possible. If you’re unable to do this for any reason, please submit a support case via https://community.blackduck.com/s/contactsupport

Continue Reading

Explore Topics