CVE-2023-29016

Name of the Vulnerable Software and Affected Versions Goobi viewer versions prior to 23.03

Description The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in Goobi viewer core when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages.

Recommendations For versions prior to 23.03, update to version 23.03 to resolve the issue. As a temporary workaround, consider restricting the use of nicknames in user profiles until the update is applied. Avoid displaying user nicknames on certain pages until the issue is resolved.