Skip to content

Several stored XSS

Moderate
trasher published GHSA-vjc9-mj44-x59q Oct 24, 2021

Package

No package listed

Affected versions

< 0.9.5

Patched versions

0.9.5

Description

Impact

Malicious javascript code can be stored to be displayed later on self subscription page. The self subscription feature can be disabled as a workaround (this is the default state).
Malicious javascript code can be executed (not stored) on login and retrieve password pages.

All releases before 0.9.5 are affected.

Patches

Upgrade to Galette 0.9.5.

For more information

See https://bugs.galette.eu/issues/1535

Severity

Moderate

CVE ID

CVE-2021-21319

Weaknesses

No CWEs

Credits