CVE-2015-1040

Name of the Vulnerable Software and Affected Versions BEdita version 3.4.0

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the administrative backend. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via several fields, including the lrealname field in the "editProfile" form to "index.php/home/profile", the data[title] or data[description] fields in the "addQuickItem" form to "index.php", the "note text" field in the "saveNote" form to "index.php/areas", or the titleBEObject or tagsArea fields in the "updateForm" form to "index.php/documents/view".

Recommendations For BEdita version 3.4.0, as a temporary workaround, consider restricting access to the administrative backend to minimize the risk of exploitation. Avoid using the vulnerable fields, such as lrealname, data[title], data[description], "note text", titleBEObject, and tagsArea, in the respective forms until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.