CVE-2022-30278 is a reflected cross-site scripting (XSS) vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files.
Severity: High (7.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
First Published: May 9, 2022
Last Updated: May 9, 2022
A vulnerability in Black Duck Hub’s embedded MadCap Flare documentation files could allow an unauthenticated remote attacker to conduct a cross-site scripting attack.
The vulnerability is due to improper validation of user-supplied input to MadCap Flare’s framework embedded within Black Duck Hub’s help documentation. An attacker could exploit this vulnerability by convincing a user to click a link designed to pass malicious input to the interface, letting the attacker conduct cross-site scripting attacks and gain access to sensitive browser-based information.
CVE-2022-30278 was addressed in the 2022.4.0 version of Black Duck Hub that was released on April 28, 2022, and can be found here: https://github.com/blackducksoftware/hub/releases/tag/v2022.4.0
If your installation is hosted by Synopsys, Black Duck Hub was automatically patched during emergency maintenance without downtime on May 5, 2022.
If you are using an installation that is not hosted by Synopsys, you are advised to upgrade to the latest version as soon as possible. If you’re unable to do this for any reason, please submit a support case via https://community.synopsys.com/s/contactsupport
Ben Ronallo is a senior security consultant at Synopsys. He comes from a background in system administration and web development. Ben focuses his attention on improving the processes and capabilities of Synopsys' practices. When he's not teaching his puppy how to execute cross-site scripting, he's delving into the world of mobile security where he's documenting best practices and working with other subject matter experts to understand the ever-changing mobile landscape.