Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 4 Jan 2021 16:20:28 +0100
From: Pietro Albini <pietro@...troalbini.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-26297: mdBook XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The Rust Security Response Working Group was recently notified of a security
issue affecting the search feature of mdBook, which could allow an attacker to
execute arbitrary JavaScript code on the page.

The CVE for this vulnerability is [CVE-2020-26297][1].

## Overview

The search feature of mdBook (introduced in version 0.1.4) was affected by a
cross site scripting vulnerability that allowed an attacker to execute
arbitrary JavaScript code on an user's browser by tricking the user into typing
a malicious search query, or tricking the user into clicking a link to the
search page with the malicious search query prefilled.

mdBook 0.4.5 fixes the vulnerability by properly escaping the search query.

## Mitigations

Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater
and rebuild their website contents with it. It's possible to install mdBook
0.4.5 on the local system with:

```
cargo install mdbook --version 0.4.5 --force
```

## Acknowledgements

Thanks to Kamil Vavra for responsibly disclosing the vulnerability to us
according to [our security policy][2].

## Timeline of events

All times are listed in UTC.

* 2020-12-30 20:14 - The issue is reported to the Rust Security Response WG
* 2020-12-30 20:32 - The issue is acknowledged and the investigation began
* 2020-12-30 21:21 - Found the cause of the vulnerability and prepared the patch
* 2021-01-04 15:00 - Patched version released and vulnerability disclosed

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26297
[2]: https://www.rust-lang.org/policies/security
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEV2nIi/XdPRSiNKes77mGCudSDawFAl/zJ2oACgkQ77mGCudS
DaxtCRAAwRayTKHncQjLla6SG0HwUYX5q3Q2zsDOhrMNnQmPb4Db0hBI4tuYy6O3
hQO0yOIuhvJKS17aMzsGL1qCYrc50d8Em3OW758FYP/VtsfJh0rvbqRl4hDvEcx1
ZBcNlrbf5y7esrsAFneeezxKbYqkWB1RnSjc87Rbs0Yph7shGKDA/aURZb83vCCr
28aEBaFUpCYP+mNzTVfhh2ZsPJ9J5xaLbFbz2kune0QrrAlUzR2rj+yz0wuKOMi5
nvL5akfpqq1eV4XkV1pheo+FeZVW797VmNTmOfW1V2q+sMhZhpwjJTb4D2b/6k4m
s1IUfCZbL2FqR8NkGybb2yoPAInDh6NQcj8v2RM0N2MHFgx25CATuQHg+oHshBv4
ycuLHzzEtSkg1YcPjzqmBOSi8zRHY5cAJnZQc36bXqzoKtkQxDdyhP2sLvaXLhJj
H8nQq80TKkWHgZGDTTR2QUw/D6z2SF8YFYKRz4stuP4H1bOBLwyqFrAl+4HTeheW
B/3LEL7ObvaENXGagfampNuCru7XXcPpuhwSacs8azKrcSKa7MSnT/ALyTSZ4hAP
Uy/PuQPaX4gVCYL4QYD4xlY6T+QMLzY07CRTcuDuA+M0b4cHrMfBRNWX0SA9Hi1a
6sXVC5cWuOWzDso7hRSjpvkkG5MRXfU+MgHn3C/ZOjmuLfjO0V0=
=sM0q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.