Update ChangeLog.

author: Lauri Ojansivu <x@xet7.org> 2020-03-23 22:49:28 +0200
committer: Lauri Ojansivu <x@xet7.org> 2020-03-23 22:49:28 +0200
commit: ec71849d84a7274f6c60d39ee7f041e6a87e127c (patch)
tree: 2c1c701e5a05c305ce23a7d1cba6f839ee8b0d9b /CHANGELOG.md
parent: 482682e50079d70c5113169020d6834013b57c11 (diff)
download: wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.gz
wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.bz2
wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.zip
1 files changed, 11 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79b141eb..f13a7d15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,16 @@
 # Upcoming Wekan release
 
-This release fixes the following bugs:
-
-- 
+This release fixes the following SECURITY VULNERABLITIES:
+
+- [Fix XSS bug reported today 4 hours ago by Cyb3rjunky](https://github.com/wekan/wekan/commit/482682e50079d70c5113169020d6834013b57c11).
+  Logged in users could run javascript in input fields.
+  This affects Wekan versions v3.12-v3.84.
+  In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release)
+  there was [changes for XSS filter to allow inserting images, videos etc
+  on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593)
+  so features related to that are now removed.
+  After this fix, Javascript in input fields is not executed.
+  Thanks to Cyb3rjunky and xet7.
 
 Thanks to above GitHub users for their contributions and translators for their translations.
author	Lauri Ojansivu <x@xet7.org>	2020-03-23 22:49:28 +0200
committer	Lauri Ojansivu <x@xet7.org>	2020-03-23 22:49:28 +0200
commit	ec71849d84a7274f6c60d39ee7f041e6a87e127c (patch)
tree	2c1c701e5a05c305ce23a7d1cba6f839ee8b0d9b /CHANGELOG.md
parent	482682e50079d70c5113169020d6834013b57c11 (diff)
download	wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.gz wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.bz2 wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.zip