Closed ntrampham closed 3 months ago
Greetings!
Thank you for reporting this issue. Had overlooked that validation.
Hi
Would you mind publishing a CVE for this?
I actually do not know how to publish a CVE. Would have to read into it.. Using this form? https://cveform.mitre.org/
Yes, absolutely right!
That would be great if you can setup a security policy for the repo you own here https://github.com/ansibleguy/webui/security.
This would allow users to draft a report on their own. You will then only need to approve and publish it. Ref: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#
Alright. Have added the policy and security advisories
are now enabled.
Would you mind testing the validation-fix in version 0.0.21?
Fix looks good. I am no longer able to reproduce the vulnerability. Please go ahead and publish a security advisory for this.
Here you go: https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj
Thank you again for reporting it.
Have a nice day
Note: CSP is configured since the last release. This feature helps prevent XSS in possible future vulnerabilities. https://github.com/ansibleguy/webui/commit/5cbe2f8f536c3a80dca7b379013afa23314c8467
Versions
latest
Scope
Backend (API)
Issue
Report.pdf