ansibleguy
commented
4 months ago Greetings!
Thank you for reporting this issue. Had overlooked that validation.
Closed ntrampham closed 3 months ago
ansibleguy
commented
4 months ago Greetings!
Thank you for reporting this issue. Had overlooked that validation.
ntrampham
commented
4 months ago Hi
Would you mind publishing a CVE for this?
ansibleguy
commented
4 months ago I actually do not know how to publish a CVE. Would have to read into it.. Using this form? https://cveform.mitre.org/
ntrampham
commented
4 months ago Yes, absolutely right!
ntrampham
commented
4 months ago That would be great if you can setup a security policy for the repo you own here https://github.com/ansibleguy/webui/security.
This would allow users to draft a report on their own. You will then only need to approve and publish it. Ref: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory#
ansibleguy
commented
4 months ago Alright. Have added the policy and security advisories are now enabled.
Would you mind testing the validation-fix in version 0.0.21?
ntrampham
commented
4 months ago Fix looks good. I am no longer able to reproduce the vulnerability. Please go ahead and publish a security advisory for this.
ansibleguy
commented
3 months ago Here you go: https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj
Thank you again for reporting it.
Have a nice day
superstes
commented
3 weeks ago Note: CSP is configured since the last release. This feature helps prevent XSS in possible future vulnerabilities. https://github.com/ansibleguy/webui/commit/5cbe2f8f536c3a80dca7b379013afa23314c8467
Versions
latest
Scope
Backend (API)
Issue
Report.pdf