An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05OHBmLWdmaDMteDNtcM4AAv0C

Read the Docs vulnerable to Cross-Site Scripting (XSS)


This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project.

Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf of the user). This URL would have looked something like hxxps[:]//readthedocs[.]org/projects/attacker-project/downloads/html/version-with-javascript-attack/.


This issue has been patched in our 8.8.1 release.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 9 months ago

Identifiers: GHSA-98pf-gfh3-x3mp

Affected Packages

Versions: < 8.8.1
Fixed in: 8.8.1