CVE-2020-14988

Name of the Vulnerable Software and Affected Versions Bloomreach Experience Manager (brXM) versions 4.1.0 through 14.2.2

Description The issue allows for cross-site scripting (XSS) attacks in various components of the software. Specifically, XSS is possible via the loginmessage parameter in the login page, the src attribute of HTML elements in the text editor, the foldername parameter in the translations menu, the link URL in the author page, or through uploading an SVG document containing JavaScript via the upload image functionality.

Recommendations For versions 4.1.0 through 14.2.2, consider disabling the text editor and upload image functionality as a temporary workaround to minimize the risk of exploitation. Restrict access to the translations menu and author page to minimize the risk. Avoid using the loginmessage and foldername parameters in the affected components until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.