SummaryPossible JavaScript code execution in Cover Stories macro
Advisory Release Date

 

Product
  • Linchpin Enterprise News
  • Linchpin Intranet Suite

Affected Versions

Linchpin Enterprise News:

  • 2.15.4 and earlier

Linchpin Intranet Suite:

  • 4.1.3 and earlier
Fixed Versions

Linchpin Enterprise News:

  • 2.15.5

Linchpin Intranet Suite:

  • 4.1.4

Problem

We were able to identify a security vulnerability in our Linchpin Enterprise News app: If you create a blogpost with specially prepared titles, Javascript code gets executed when the blogpost is rendered inside the Cover Stories macro.

All versions of the app Linchpin Enterprise News up to and including 2.15.4 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including version 4.1.3.

Severity

The vulnerability has been rated as High (8.7) according to the scale published under the Common Vulnerability Scoring System (CVSS).

Solution

For Linchpin Intranet Suite customers: Update to the latest Marketplace version: Linchpin Intranet Suite 4.1.4 or newer.

For Linchpin Enterprise News customers: Update to the latest Marketplace version: Linchpin Enterprise News 2.15.5 or newer.

Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.

This content was last updated on 05/06/2021.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.

Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.