CVE-2025-30342

Name of the Vulnerable Software and Affected Versions OpenSlides versions prior to 4.2.5

Description A cross-site scripting (XSS) issue was discovered. When submitting descriptions, an editor is shown that allows formatting the submitted text, enabling the insertion of various HTML elements. Although the SCRIPT element is properly encoded when reflected, adding attributes to links is possible, allowing the injection of JavaScript via the onmouseover attribute and others. When a user moves the mouse over a prepared link, JavaScript is executed in that user's session.

Recommendations For versions prior to 4.2.5, update to version 4.2.5 or later to resolve the issue. As a temporary workaround, consider disabling the editor for submitting descriptions such as Moderator Notes or Agenda Topics until a patch is available. Restrict access to links with attributes that could be used for JavaScript injection to minimize the risk of exploitation.