Page tree
Skip to end of metadata
Go to start of metadata

SummaryPossible JavaScript code execution in Cover Stories macro
Advisory Release Date


  • Linchpin Enterprise News
  • Linchpin Intranet Suite

Affected Versions

Linchpin Enterprise News:

  • 2.15.4 and earlier

Linchpin Intranet Suite:

  • 4.1.3 and earlier
Fixed Versions

Linchpin Enterprise News:

  • 2.15.5

Linchpin Intranet Suite:

  • 4.1.4


We were able to identify a security vulnerability in our Linchpin Enterprise News app: If you create a blogpost with specially prepared titles, Javascript code gets executed when the blogpost is rendered inside the Cover Stories macro.

All versions of the app Linchpin Enterprise News up to and including 2.15.4 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 4.1.3.


The vulnerability has been rated as High (8.7) according to the scale published under the Common Vulnerability Scoring System (CVSS).


For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 4.1.4 or newer.

For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.15.5 or newer.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at

A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.

This page was last edited on 05/06/2021.