CVE-2025-30345

Name of the Vulnerable Software and Affected Versions OpenSlides versions prior to 4.2.5

Description An issue was discovered in OpenSlides where users can specify the name of the chat when creating new chats via the chat group.create action. Some HTML elements are filtered, but others are not, and HTML entities are not properly encoded when deleting chats or messages. This potentially allows attackers to interfere with the layout of the rendered website.

Recommendations For versions prior to 4.2.5, update to version 4.2.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTML elements in chat names to minimize the risk of exploitation. Avoid using the chat group.create action with untrusted input until the issue is resolved.