diff options
author | Lauri Ojansivu <x@xet7.org> | 2020-03-23 22:29:20 +0200 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2020-03-23 22:29:20 +0200 |
commit | 482682e50079d70c5113169020d6834013b57c11 (patch) | |
tree | 6a2f2f40f0335fc9c07aee179d11154e5dfecdc6 /public/api | |
parent | 3a6303e5c2abef843b3cf0ff236e02aa3e645b67 (diff) | |
download | wekan-482682e50079d70c5113169020d6834013b57c11.tar.gz wekan-482682e50079d70c5113169020d6834013b57c11.tar.bz2 wekan-482682e50079d70c5113169020d6834013b57c11.zip |
SECURITY VULNERABILITY FIX: Fix XSS bug reported today 4 hours ago by Cyb3rjunky.
Logged in users could run javascript in input fields.
This affects Wekan versions v3.12-v3.84.
In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release)
there was [changes for XSS filter to allow inserting images, videos etc
on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593)
so features related to that are now removed.
After this fix, Javascript in input fields is not executed.
Thanks to Cyb3rjunky and xet7 !
Diffstat (limited to 'public/api')
0 files changed, 0 insertions, 0 deletions