CVE-2025-30345

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30345

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30345.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30345

Published

2025-03-21T06:15:27Z

Modified

2025-03-28T02:00:55.637668Z

Severity

4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements such as SCRIPT are filtered, whereas others are not. In most cases, HTML entities are encoded properly, but not when deleting chats or deleting messages in these chats. This potentially allows attackers to interfere with the layout of the rendered website, but it is unlikely that victims would click on deleted chats or deleted messages.

References

https://www.x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides

Affected packages

Git / github.com/openslides/openslides

Affected ranges

Type: GIT
Repo: https://github.com/openslides/openslides
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

89d3f5b68366d630219b4d4c4e43c747e7815ec1

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.5

1.5.1

1.5b1

1.5b2

1.6

1.6.1

1.6b1

1.6b2

1.7

1.7b1

2.*

2.0

2.0a1

2.0b1

2.0b2

2.0b3

2.0b4

2.0b5

2.1

2.1.1

2.1b1

2.1b2

2.1b3

2.1b4

2.2

2.2b1

2.2b2

2.2b3

2.3

2.3b1

3.*

3.0

3.1

4.*

4.0.0

4.1.0

4.1.11

4.1.12

4.1.13

4.1.14

4.1.15

4.1.16

4.1.17

4.1.18

4.1.19

4.1.20

4.1.21

4.1.22

4.1.7

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4