Date: Thu, 22 Feb 2018 16:46:55 +0000 From: Justin Bull <me@...tinbull.ca> To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: Re: [CVE-2018-1000088] Stored XSS vulnerability in Doorkeeper gem v2.1.0 - v4.2.5 On Wed, Feb 21, 2018 at 5:17 PM Justin Bull <me@...tinbull.ca> wrote: > > Solution: > --------- > Upgrade to Doorkeeper v4.2.6 or later > > Apologies. This fails to account for a non-trivial scenario. Any software using Doorkeeper that has generated its own custom views requires manual work to verify there's no explicit HTML in the `client_name` and `native_redirect_uri` field values. This has been updated in the bulletin's Fix section. : https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-views : https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/#fix -- Justin Bull PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.