42 lines
1.1 KiB
ReStructuredText
42 lines
1.1 KiB
ReStructuredText
==============
|
|
CVE-2020-15856
|
|
==============
|
|
|
|
XSS attack on kojiweb
|
|
|
|
Summary
|
|
-------
|
|
|
|
Web interface can be abused by XSS attack. Attackers can supply subversive HTTP
|
|
links containing malicious javascript code. Such links were not controlled
|
|
properly, so attackers can potentially force users to submit actions which were
|
|
not intended. Some actions which can be done via web UI can be destructive, so
|
|
updating to this version is highly recommended.
|
|
|
|
Bug fix
|
|
-------
|
|
|
|
We are releasing updates for affected versions of Koji from within the
|
|
past year.
|
|
The following releases all contain the fix:
|
|
|
|
- 1.23.1
|
|
- 1.22.2
|
|
- 1.21.2
|
|
|
|
Anyone using a Koji version older than a year should update to a more
|
|
current version as soon as possible.
|
|
|
|
For users who have customized their Koji code, we recommend rebasing your work
|
|
onto the appropriate update release. Please see Koji
|
|
`issue #2645 <https://pagure.io/koji/issue/2645>`_ for the code details.
|
|
|
|
As with all changes to web code, you must restart httpd for the changes to
|
|
take effect.
|
|
|
|
Links
|
|
-----
|
|
|
|
Fixed versions can be found at our releases page:
|
|
|
|
https://pagure.io/koji/releases
|