CVE-2020-26280

Name of the Vulnerable Software and Affected Versions OpenSlides version 3.2

Description OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. Due to insufficient user input validation and escaping, it is vulnerable to persistent cross-site scripting (XSS). In the web application, users can enter rich text in various places, e.g., for personal notes or in motions. These fields can be used to store arbitrary JavaScript code that will be executed when other users read the respective text. An attacker could utilize this vulnerability to manipulate votes of other users, hijack the moderator's session, or simply disturb the meeting.

Recommendations For OpenSlides version 3.2, update to version 3.3 to resolve the issue. As a temporary workaround, consider restricting the use of rich text fields in motions and personal notes to minimize the risk of exploitation. Avoid using these fields to store arbitrary JavaScript code until the issue is resolved.