Description
HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/humhub/humhub/security/advisories/GHSA-p7h3-73v7-959c
Patch, Third Party Advisory x_refsource_misc
https://github.com/humhub/humhub/commit/07d9f8f9b6334970ee38156a3416c3708d157cae
Patch, Third Party Advisory x_refsource_misc
https://github.com/humhub/humhub/commit/f88991dfe56a05870df165ac89a2755dd4c1ffa1
Not Applicable x_refsource_misc
https://huntr.dev/bounties/89d996a2-de30-4261-8e3f-98e54cb25f76
Scores
CVSS v3
5.9
EPSS
0.0030
EPSS Percentile
53.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
humhub/humhub
< 1.10.5
Published
Jul 07, 2022
Tracked Since
Feb 18, 2026