Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Z2ZtLWZqeDYtNjJtas4AA4gD
readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects
Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to our search client not correctly escaping all user content from search results. You can find more information in the advisory published in our readthedocs.org repo.
Users of this extension should update to the 0.3.2 version, and trigger a new build.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Patches
This issue has been patched in our 0.3.2 version.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)
Permalink: https://github.com/advisories/GHSA-xgfm-fjx6-62mjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Z2ZtLWZqeDYtNjJtas4AA4gD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Identifiers: GHSA-xgfm-fjx6-62mj
References:
- https://github.com/readthedocs/readthedocs-sphinx-search/security/advisories/GHSA-xgfm-fjx6-62mj
- https://github.com/readthedocs/readthedocs-sphinx-search/commit/8c6f6d01e88e72ef32ed0c220b6c19d1e1121c73
- https://github.com/advisories/GHSA-xgfm-fjx6-62mj
Blast Radius: 18.5
Affected Packages
pypi:readthedocs-sphinx-search
Dependent packages: 73Dependent repositories: 857
Downloads: 47,246 last month
Affected Version Ranges: <= 0.3.1
Fixed in: 0.3.2
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.3.0, 0.3.1
All unaffected versions: 0.3.2