Security Advisory - LRN-128071- XSS Vulnerability in File Uploads Could Allow Information Disclosure
We are currently using Q4 2017 CU2 on Test and Integration and Q4 2016 CU6 on Production.
Confirmed with Bb Support that in EVERY Bb Release - even if Authorization Vulnerability is Not Affected (ex: Q4 2016 CU6) OR if Product not listed (ex: Q4 2017 CU2) that:
Clients should also ensure the "Global Safe HTML Filter" is enabled and set to the strictest setting.
So, Bb Support recommends that Safe HTML Filters->Global Safe HTML Filter->Filtering Mode='All HTML'
Since this would have major user impact (example: Users with some special characters in passwords would not be able to log in), we continue to work with Bb Support to identify all potential impacts.