close search bar

Sorry, not available in this language yet

close language selection

Product Security Advisory: Reflected cross-site scripting in Black Duck Hub

CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files.

CVE-2022-30278 announcement | Synopsys

CVE: CVE-2022-30278
Severity: High (7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
First Published: May 9, 2022
Last Updated: May 9, 2022


A vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files could allow an unauthenticated remote attacker to conduct a cross-site scripting attack.

The vulnerability is due to improper validation of user-supplied input to MadCap Flare’s framework embedded within Black Duck Hub’s help documentation. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface, letting the attacker conduct cross-site scripting attacks and gain access to sensitive browser-based information.

CVE-2022-30278 was addressed in the 2022.4.0 version of Black Duck Hub that was released on April 28, 2022, and can be found here:


If your installation is hosted by Synopsys, Black Duck Hub was automatically patched during emergency maintenance without downtime on May 5, 2022.

If you are using an installation that is not hosted by Synopsys, you are advised to upgrade to the latest version as soon as possible. If you’re unable to do this for any reason, please submit a support case via

Subscribe to the blog for the latest AppSec news

Subscribe now

Ben Ronallo

Posted by

Ben Ronallo

Ben Ronallo

Ben Ronallo is a senior security consultant at Synopsys. He comes from a background in system administration and web development. Ben focuses his attention on improving the processes and capabilities of Synopsys' practices. When he's not teaching his puppy how to execute cross-site scripting, he's delving into the world of mobile security where he's documenting best practices and working with other subject matter experts to understand the ever-changing mobile landscape.

More from Security news and research