Skip to content

v0.19.3

Latest

Choose a tag to compare

@Flomp Flomp released this 02 Jul 13:01
Immutable release. Only release title and notes can be modified.

0.19.3

Security

  • Fixed unauthenticated IDOR on GET /activitypub/trail/{id} and GET /activitypub/comment/{id} — private records are now access-checked before being returned. (GHSA-9qg7-jr2x-prvh, reported by @de3erve-hunter)
  • Fixed stored XSS via waypoint.icon in map markers — the icon value is now validated against an allowlist before being passed to insertAdjacentHTML. (GHSA-hx3v-rv4v-w875, reported by @de3erve-hunter)
  • Fixed stored XSS via waypoint.name and waypoint.icon in the elevation profile — replaced unsafe innerHTML assignment with safe DOM construction. (GHSA-m7v2-6gj3-3g2p, reported by @de3erve-hunter)