Mindbreeze InSpire Vulnerabilities

This page lists known security vulnerabilities found in Mindbreeze InSpire. The article titles contain the Mindbreeze issue number and, in the case of third-party software, the official CVE number. Information about the affected components, severity level, current status and how to prevent the issue as well as hotfix information if applicable, can be found on the detail pages. You can also use the full text search to find specific vulnerabilities.

If you have found a possible security vulnerability, please contact Mindbreeze InSpire Support at support@mindbreeze.com providing detailed information about the problem found.

Vulnerabilities

dataTable.js and moment.js Security Update (MINDBREEZE26538)

ID: MINDBREEZE26538  Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS  Severity: 3.5 Low  Status: Final  First published: March 15, 2023  Summary DataTableJS: prototype pollution, possible XSS MomentJS: possible regular expression DoS   Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 23.1 Release (Version 23.1.0.410)  Mindbreeze InSpire Saas 23.1 Release (Version 23.1.0.410)
Read more about dataTable.js and moment.js Security Update (MINDBREEZE26538)

Lodash Security Update (MINDBREEZE26382)

ID: MINDBREEZE26382  Affected Components: Mindbreeze InSpire  Severity: 7.3 High  Status: Final  First published: March 15, 2023  CVEs: CVE-2021-23337, CVE-2020-28500, CVE-2020-8203, CVE-2019-1010266, CVE-2019-10744, CVE-2018-16487  Summary Possible XSS and DoS in the Lodash library.   Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:  Mindbreeze InSpire 23.1 Release (Version 23.1.0.410) 
Read more about Lodash Security Update (MINDBREEZE26382)

Certifi Security Update (MINDBREEZE26358)

ID: MINDBREEZE26358  Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS  Severity: 7.5 Important  Status: Final  First published: March 15, 2023  CVE: CVE-2022-23491  Summary Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware.   Hotfix Information
Read more about Certifi Security Update (MINDBREEZE26358)

OpenJDK Security Update (8u352) (MINDBREEZE25529)

ID: MINDBREEZE25529  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 5.3 Medium  Status: Final  First published: January 25, 2023  CVEs: CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 
Read more about OpenJDK Security Update (8u352) (MINDBREEZE25529)

Javascript Library jQuery UI Security Update (MINDBREEZE25399)

ID: MINDBREEZE25399  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 6.1 Medium  Status: Final  First published: January 25, 2023  CVEs: CVE-2022-31160  Summary This vulnerability may allow running cross-site scripting (XSS) attacks due to improper jQuery _getCreateOptions method.    Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 22.3 Release (Version 22.3.0.1109) 
Read more about Javascript Library jQuery UI Security Update (MINDBREEZE25399)

OpenSSL/Kernel Security Update (MINDBREEZE25384)

ID: MINDBREEZE25384  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 7.5 High  Status: Final  First published: November 30, 2022  CVEs: CVE-2022-3786, CVE-2022-3602, CVE-2022-3435  Summary  OpenSSL: X.509 Email Address Buffer Overflow (CVE-2022-3602)  OpenSSL: X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)  kernel: Out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c (CVE-2022-3435)    Hotfix Information 
Read more about OpenSSL/Kernel Security Update (MINDBREEZE25384)

Possible SQL injection with special api.v2.search requests (MINDBREEZE23683)

ID: MINDBREEZE23683  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 7.6 High  Status: Final  First published: August 31, 2022  Summary  Possible SQL injection with special api.v2.search requests.  Remediation  Update to at least 22.1 Hotfix 2 or disable the task "Update app.telemetry dashboards"​​​​​​.    Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
Read more about Possible SQL injection with special api.v2.search requests (MINDBREEZE23683)

Keycloak Update (MINDBREEZE23311)

ID: MINDBREEZE23311  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 6.8 Medium  Status: Final  First published: October 20, 2023  CVEs: CVE-2022-1438, CVE-2022-3916, CVE-2023-0264 
Read more about Keycloak Update (MINDBREEZE23311)

OpenJDK Security Update (8u333) (MINDBREEZE23309)

ID: MINDBREEZE23309  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 5.3 Medium  Status: Final  First published: September 28, 2022  CVEs: CVE-2022-21496  Summary  OpenJDK Security Update 8u333 contains fixes for the following CVEs:  OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)    Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
Read more about OpenJDK Security Update (8u333) (MINDBREEZE23309)

CoreOS Security Update (CoreOS 36) (MINDBREEZE23118)

ID: MINDBREEZE23118  Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS  Severity: 5.6 Medium  Status: Final  First published: September 28, 2022  CVEs: CVE-2022-29901  Summary  BZ#2103148 CVE-2022-29901 hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions.    Hotfix Information Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: Mindbreeze InSpire 22.2 Release (Version 22.2.0.729) 
Read more about CoreOS Security Update (CoreOS 36) (MINDBREEZE23118)