Users can attach URLs to YouTube videos, the site will generate related <iframe> when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. onclick=alert("xss")) to the <iframe>.
It was fixed in the version 1.1.34 and does not require any extra actions from our members. There's no evidence that this vulnerability was used by anyone, too.
Users can attach URLs to YouTube videos, the site will generate related
<iframe>when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g.onclick=alert("xss")) to the<iframe>.It was fixed in the version
1.1.34and does not require any extra actions from our members. There's no evidence that this vulnerability was used by anyone, too.