Phinch is an open-source framework for visualizing biological data, funded by a grant from the Alfred P. Sloan foundation. This project represents an interdisciplinary collaboration between Pitch Interactive, a data visualization studio in Oakland, CA, and biological researchers at UC Riverside.
I found a known XSS vulnerability in the recent version of Phinch.
In particular, the bug we report is a known bug by CVE-2019-20041.
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Hi
I found a known XSS vulnerability in the recent version of Phinch. In particular, the bug we report is a known bug by CVE-2019-20041.
Please check this line: https://github.com/PitchInteractiveInc/Phinch/blob/c87966eb6941b5dddeef74a351262a366e8a781a/blog/wp-includes/kses.php#L1057
Thanks!