Impact
Anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken IF they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript.
Patches
The problem has not yet been patched, but we're working on fixing it and it should be working safely very soon. It will be easy to fix, and we will likely implement an emergency feature shutdown too.
Workarounds
You'll have to turn off the Recently Viewed Projects feature, or just not visit any sites that include dangerous Javascript in the title.
References
Thank you to GarboMuffin for discovering and reporting this issue.
For more information
If you have any questions or comments about this advisory:
Impact
Anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken IF they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript.
Patches
The problem has not yet been patched, but we're working on fixing it and it should be working safely very soon. It will be easy to fix, and we will likely implement an emergency feature shutdown too.
Workarounds
You'll have to turn off the Recently Viewed Projects feature, or just not visit any sites that include dangerous Javascript in the title.
References
Thank you to GarboMuffin for discovering and reporting this issue.
For more information
If you have any questions or comments about this advisory: