Release 5.1.2
Gollum versions from 5.0 up to this release were vulnerable to CVE-2020-35305, a Cross-Site Scripting (XSS) vulnerability. Please update!
NB: this report has arrived late because it took about two years for a CVE to be reserved. 😢 Newer versions of Gollum have been released since, which are all unaffected by this vulnerability.
Description of the vulnerability
- Vulnerability Type: Cross Site Scripting (XSS)
- Affected Component: Gollum wiki's Overview and Pages.
- Result: Run arbitrary JavaScript on Gollum's Overview and Pages pages.
- Attack Vectors: Enter a maliciously crafted filename in the 'New Page' dialog
- Discoverer: Tsubasa Umeuchi (@Szarny)
Reproducing the vulnerability
Filenames of the following form triggered the vulnerability on the Overview and Pages views: '<img src=x onerror=alert(1) />'
.
Solution
We now sanitize displayed page names (137728c) and have added regression tests guarding against this and similar vulnerabilities. Thanks to @Szarny for the report!