New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
any eta on xss fix #149
Comments
|
The blog post says Translation: I wonder who he reported it to and who fixed what? This repo hasn't been updated since '13 and his blog post is from July '14. I thought maybe he was talking about the WordPress prettyphoto plugin - https://wordpress.org/plugins/prettyphoto/ - but that hasn't been updated since '13 either. The current version, 1.1, has prettyphoto version 3.1.4 so the plugin is probably vulnerable too. |
|
Confirmed the WordPress plugin is vulnerable. I will contact the author. |
|
The only fix i see regarding this XSS vulnerability is on this repo |
|
I'll review and try to update the plugin tonight. |
|
Cool, good to see some progress on this one. Now once the patch is in repository we are left with updating/informing the dependent softwares of the new release. @scaron would it be possible that you can mark the new release as a security fix and a note stating that people are requested to update to the new version ASAP. -Anant |
|
jsDelivr is still service old files and is looking for someone to make a pull request. can the author please make a pull request to get 3.1.6 in jsdelivr repository. Refer : jsdelivr/jsdelivr#4878 Edit: Looks like its updated so no need for a pull request. |
Someone reported a Dom XSS vector in 07-2014
http://www.perucrack.net/2014/07/haciendo-un-xss-en-plugin-prettyphoto.html
I can see evidences of this issue being exploited in wild. Can you suggest when a fix would be ready.
Created a public issue coz the disclosure was long back but still a lot of people are using this library and all of them are susceptible to this attack.
The text was updated successfully, but these errors were encountered: