Mindbreeze InSpire Vulnerabilities

Cookie name	Purpose	Lifespan
TEAMNX	Session identifier for the Fabasoft Cloud	9 Hours
cookie_settings	Stores information about your cookie settings	30 Days
_apm:telemetryStatus#...:	Performance measurement app.telemetry (needed for the search function on www.mindbreeze.com) The last response of the web.telemetry requests is saved in this value. This includes in particular the information concerning which instrumentation level the Client instrumentation is to be recorded on. This information is important at the start of the Client, so that even the first request can already be collected in the selected recording level, because the first web.telemetry request is not generally effected until after the first application request has been sent.	unlimited
apm:guid	Session ID for app.telemetry (needed for the search function on www.mindbreeze.com) This is a GUID that enables the possibility of assigning telemetry data to a Client even when the page is reloaded or the Client uses the navigation to switch to other pages of the application	unlimited

This page lists known security vulnerabilities found in Mindbreeze InSpire. The article titles contain the Mindbreeze issue number and, in the case of third-party software, the official CVE number. Information about the affected components, severity level, current status and how to prevent the issue as well as hotfix information if applicable, can be found on the detail pages. You can also use the full text search to find specific vulnerabilities.

If you have found a possible security vulnerability, please contact Mindbreeze InSpire Support at support@mindbreeze.com providing detailed information about the problem found.

Vulnerabilities

dataTable.js and moment.js Security Update (MINDBREEZE26538)

ID: MINDBREEZE26538 Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS Severity: 3.5 Low Status: Final First published: March 15, 2023 Summary DataTableJS: prototype pollution, possible XSS MomentJS: possible regular expression DoS Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 23.1 Release (Version 23.1.0.410) Mindbreeze InSpire Saas 23.1 Release (Version 23.1.0.410)

Lodash Security Update (MINDBREEZE26382)

ID: MINDBREEZE26382 Affected Components: Mindbreeze InSpire Severity: 7.3 High Status: Final First published: March 15, 2023 CVEs: CVE-2021-23337, CVE-2020-28500, CVE-2020-8203, CVE-2019-1010266, CVE-2019-10744, CVE-2018-16487 Summary Possible XSS and DoS in the Lodash library. Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 23.1 Release (Version 23.1.0.410)

Certifi Security Update (MINDBREEZE26358)

ID: MINDBREEZE26358 Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS Severity: 7.5 Important Status: Final First published: March 15, 2023 CVE: CVE-2022-23491 Summary Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Hotfix Information

OpenJDK Security Update (8u352) (MINDBREEZE25529)

ID: MINDBREEZE25529 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 5.3 Medium Status: Final First published: January 25, 2023 CVEs: CVE-2022-21626, CVE-2022-21624, CVE-2022-21619

Javascript Library jQuery UI Security Update (MINDBREEZE25399)

ID: MINDBREEZE25399 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 6.1 Medium Status: Final First published: January 25, 2023 CVEs: CVE-2022-31160 Summary This vulnerability may allow running cross-site scripting (XSS) attacks due to improper jQuery _getCreateOptions method. Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 22.3 Release (Version 22.3.0.1109)

OpenSSL/Kernel Security Update (MINDBREEZE25384)

ID: MINDBREEZE25384 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 7.5 High Status: Final First published: November 30, 2022 CVEs: CVE-2022-3786, CVE-2022-3602, CVE-2022-3435 Summary OpenSSL: X.509 Email Address Buffer Overflow (CVE-2022-3602) OpenSSL: X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) kernel: Out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c (CVE-2022-3435) Hotfix Information

Possible SQL injection with special api.v2.search requests (MINDBREEZE23683)

ID: MINDBREEZE23683 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 7.6 High Status: Final First published: August 31, 2022 Summary Possible SQL injection with special api.v2.search requests. Remediation Update to at least 22.1 Hotfix 2 or disable the task "Update app.telemetry dashboards". Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

OpenJDK Security Update (8u333) (MINDBREEZE23309)

ID: MINDBREEZE23309 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 5.3 Medium Status: Final First published: September 28, 2022 CVEs: CVE-2022-21496 Summary OpenJDK Security Update 8u333 contains fixes for the following CVEs: OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496) Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

CoreOS Security Update (CoreOS 36) (MINDBREEZE23118)

ID: MINDBREEZE23118 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 5.6 Medium Status: Final First published: September 28, 2022 CVEs: CVE-2022-29901 Summary BZ#2103148 CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions. Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 22.2 Release (Version 22.2.0.729)

Javascript Library jQuery UI Security Update (MINDBREEZE22857)

ID: MINDBREEZE22857 Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS Severity: 6.5 Medium Status: Final First published: January 25, 2023 CVEs: CVE-2021-41182, CVE-2021-41183, CVE-2021-41184 Summary This vulnerability may allow running cross-site scripting (XSS) attacks due to improper jQuery method. Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 22.3 Release (Version 22.3.0.1109)