{
    "document": {
        "category": "csaf_vex",
        "csaf_version": "2.0",
        "distribution": {
            "tlp": {
                "label": "WHITE",
                "url": "https://www.first.org/tlp/v1/"
            }
        },
        "lang": "en",
        "publisher": {
            "category": "vendor",
            "contact_details": "mailto:security@intevation.de, encryption via OpenPGP: https://intevation.de/.well-known/openpgpkey/hu/t5s8ztdbon8yzntexy6oz5y48etqsnbb",
            "name": "Intevation GmbH",
            "namespace": "https://intevation.de"
        },
        "title": "HTML Injection In Chat Names in OpenSlides",
        "tracking": {
            "current_release_date": "2025-10-21T17:07:00.000Z",
            "id": "intevation-os-2025-0004",
            "initial_release_date": "2025-04-08T18:00:00.000Z",
            "revision_history": [
                {
                    "date": "2025-04-08T18:00:00.000Z",
                    "number": "1.0.0",
                    "summary": "Initial revision"
                },
                {
                    "date": "2025-04-08T19:00:00.000Z",
                    "number": "1.0.1",
                    "summary": "Fixed naming for version 4.2.5."
                },
                {
                    "date": "2025-05-05T12:59:00.000Z",
                    "number": "1.0.2",
                    "summary": "Status final after review."
                },
                {
                    "date": "2025-09-29T15:20:00.000Z",
                    "number": "2.0.0",
                    "summary": "Fix product version range syntax."
                },
                {
                    "date": "2025-10-21T17:07:00.000Z",
                    "number": "3.0.0",
                    "summary": "Fix product version range syntax and add current OpenSlides release as product which is fixed."
                }
            ],
            "status": "final",
            "version": "3.0.0"
        }
    },
    "product_tree": {
        "branches": [
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:intdot/<=4.2.4",
                                "product": {
                                    "name": "OpenSlides up to version 4.2.4",
                                    "product_id": "openslides-le-4.2.4"
                                }
                            },
                            {
                                "category": "product_version",
                                "name": "4.2.5",
                                "product": {
                                    "name": "OpenSlides version 4.2.5",
                                    "product_id": "openslides-e-4.2.5"
                                }
                            },
                            {
                                "category": "product_version",
                                "name": "4.2.23",
                                "product": {
                                    "name": "OpenSlides version 4.2.23",
                                    "product_id": "openslides-e-4.2.23"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "OpenSlides"
                    }
                ],
                "category": "vendor",
                "name": "Intevation GmbH"
            }
        ]
    },
    "vulnerabilities": [
        {
            "cve": "CVE-2025-30345",
            "notes": [
                {
                    "category": "summary",
                    "text": "When creating new chats via the chat_group.create action, the user is able to specify the name for the chat. Some HTML tags such as script are filtered, whereas others are not. In most cases, the HTML entities will be encoded properly, but not when deleting chats or deleting messages in these chats. This allows attackers to mess with the layout of the rendered website."
                }
            ],
            "product_status": {
                "known_affected": [
                    "openslides-le-4.2.4"
                ],
                "first_fixed": [
                    "openslides-e-4.2.5"
                ],
                "fixed": [
                    "openslides-e-4.2.5",
                    "openslides-e-4.2.23"
                ]
            },
            "remediations": [
                {
                    "category": "vendor_fix",
                    "date": "2025-03-19T12:00:00.000Z",
                    "details": "Update to the latest version of OpenSlides. At least version 4.2.5",
                    "product_ids": [
                        "openslides-le-4.2.4"
                    ],
                    "url": "https://github.com/OpenSlides/OpenSlides/releases"
                }
            ]
        }
    ]
}
