Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevents an XSS vulnerability on the machine_list view #405

Merged
merged 2 commits into from Oct 7, 2020
Merged

Conversation

grahamgilbert
Copy link
Member

@grahamgilbert grahamgilbert commented Oct 2, 2020

@opragel
Copy link

opragel commented Oct 7, 2020

This change looks good from my end @grahamgilbert.

@grahamgilbert grahamgilbert merged commit 145bb72 into main Oct 7, 2020
2 checks passed
@grahamgilbert grahamgilbert deleted the xss branch October 7, 2020 02:56
@reedloden
Copy link

Is there a CVE assigned for this?

@grahamgilbert
Copy link
Member Author

No.

@reedloden
Copy link

Perhaps use GitHub's security advisory functionality to request one? https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/publishing-a-security-advisory

@rschultheis
Copy link

👋 I am writing on behalf of the GitHub CNA team. We received a request from the researchers to assign a CVE to this issue, and have done so. This was assigned CVE-2020-26205 and should be published in MITRE shortly.

I am also seeing that while the issue is patched in git, there does not seem to be a new release of Sal that contains this fix yet. The latest release of Sal being 4.1.6, made on July 31, and this issue being patch October 6. Will a new release be forthcoming? We will update the CVE to note a fix version once it is available.

Thanks for all your work keeping open source secure @grahamgilbert @opragel @reedloden and others 🙇

@grahamgilbert
Copy link
Member Author

@opragel
Copy link

opragel commented Oct 30, 2020

Credit to @nahamsec for discovering this vulnerability and reporting it.

@rschultheis
Copy link

Thanks @grahamgilbert we have submitted an update to the CVE to note the fix version, and link to the release page. 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants