Javascript Library Mustache Security Update (MINDBREEZE15232)

ID: MINDBREEZE15232 
Affected Components: Mindbreeze InSpire G6, Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 3.5 Low 
Status: Final 
First published: 14.10.2020 

Summary

In mustache version 2.2.1, it is no longer possible to pass executable code via input files. This is patched in the vendor mustache.js

Severity: AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Impact

This vulnerability may allow running cross-site scripting (XSS) attacks via input filelds in mustache templates.

Remediation

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:

• Mindbreeze InSpire 20.4 Release (Version 20.4.4.435)
• Mindbreeze InSpire SaaS 20.4 Release (Version 20.4.4.448)