Cross-site scripting in patchwork - CVE-2019-13122
Published: July 10, 2019 / Updated: July 17, 2020
patchwork
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "A Cross Site Scripting (XSS) vulnerability exists in the template tag used to render message ids" when Patchwork. This affects the function msgid in templatetags/patch.py. Patchwork versions v2.1.4 and v2.0.4 will contain the fix. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website .
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
How to mitigate CVE-2019-13122
Sources
- http://jk.ozlabs.org/projects/patchwork/
- http://www.openwall.com/lists/oss-security/2019/07/05/1
- https://github.com/getpatchwork/patchwork/commits/master
- https://github.com/getpatchwork/patchwork/releases
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/005870.html
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/005878.html
- https://lists.ozlabs.org/pipermail/patchwork/2019-July/date.html