CVE-2025-30342

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30342

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30342.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30342

Published

2025-03-21T06:15:26Z

Modified

2025-03-28T02:00:48.884733Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted text. This allows insertion of various HTML elements. When trying to insert a SCRIPT element, it is properly encoded when reflected; however, adding attributes to links is possible, which allows the injection of JavaScript via the onmouseover attribute and others. When a user moves the mouse over such a prepared link, JavaScript is executed in that user's session.

References

https://www.x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides

Affected packages

Git / github.com/openslides/openslides

Affected ranges

Type: GIT
Repo: https://github.com/openslides/openslides
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

89d3f5b68366d630219b4d4c4e43c747e7815ec1

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.5

1.5.1

1.5b1

1.5b2

1.6

1.6.1

1.6b1

1.6b2

1.7

1.7b1

2.*

2.0

2.0a1

2.0b1

2.0b2

2.0b3

2.0b4

2.0b5

2.1

2.1.1

2.1b1

2.1b2

2.1b3

2.1b4

2.2

2.2b1

2.2b2

2.2b3

2.3

2.3b1

3.*

3.0

3.1

4.*

4.0.0

4.1.0

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.1.17

4.1.18

4.1.19

4.1.20

4.1.21

4.1.22

4.1.7

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4