彙總 openslides 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本與路徑處理缺陷,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持與檔案覆寫 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-25519 | OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenS | [email protected] | 8.1 | 0.02% | 2026-02-04 | 2026-02-18 |
| CVE-2025-30345 | An issue was discovered in OpenSlides before 4.2.5. When creating new chats via the chat_group.create action, the user is able to specify the name of the chat. Some HTML elements such as SCRIPT are filtered, whereas others are not. In most cases, HTML entities are encoded properly, but not when deleting chats or deleting messages in these chats. This potentially allows attackers to interfere with the layout of the rendered website, but it is unlikely that victims would click on deleted chats or | [email protected] | 3.5 | 0.18% | 2025-03-21 | 2025-03-27 |
| CVE-2025-30344 | An issue was discovered in OpenSlides before 4.2.5. During login at the /system/auth/login/ endpoint, the system's response times differ depending on whether a user exists in the system. The timing discrepancy stems from the omitted hashing of the password (e.g., more than 100 milliseconds). | [email protected] | 5.3 | 0.18% | 2025-03-21 | 2025-03-27 |
| CVE-2025-30343 | A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might | [email protected] | 3.0 | 0.54% | 2025-03-21 | 2025-03-27 |
| CVE-2025-30342 | An XSS issue was discovered in OpenSlides before 4.2.5. When submitting descriptions such as Moderator Notes or Agenda Topics, an editor is shown that allows one to format the submitted text. This allows insertion of various HTML elements. When trying to insert a SCRIPT element, it is properly encoded when reflected; however, adding attributes to links is possible, which allows the injection of JavaScript via the onmouseover attribute and others. When a user moves the mouse over such a prepared | [email protected] | 5.4 | 0.17% | 2025-03-21 | 2025-03-27 |
| CVE-2024-22893 | OpenSlides 4.0.15 verifies passwords by comparing password hashes using a function with content-dependent runtime. This can allow attackers to obtain information about the password hash using a timing attack. | [email protected] | 7.5 | 0.33% | 2024-09-25 | 2025-06-13 |
| CVE-2024-22892 | OpenSlides 4.0.15 was discovered to be using a weak hashing algorithm to store passwords. | [email protected] | 7.5 | 0.18% | 2024-09-25 | 2025-03-14 |
| CVE-2020-26280 | OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input validation and escaping, it is vulnerable to persistant cross-site scripting (XSS). In the web applications users can enter rich text in various places, e.g. for personal notes or in motions. These fields can be used to store arbitrary JavaScript Code that will be executed when other users read the respec | [email protected] | 8.9 | 0.47% | 2020-12-18 | 2024-11-21 |