Special thanks goes to @J-GainSec for disclosure on #368
Vulnerability Fixes
Sanitization in Search
Sanitization in Filepaths (Page Actions by Admin)
Correct HTML escaping in Pages
Notes
All images, links, etc are now required to be in Markdown. Any raw HTML will be stripped.
All existing pages will still have embedded HTML (for compatibility). When you update the page (using new Markdown) the contents will be re-saved and protected
CVEs:
CVE-2022-35142
CVE-2022-35143
CVE-2022-35144
Other improvements may come later to further address these CVEs based on feedback.
Releasing now to allow for users/deployments to update.
Security Update 2022-08-02
Thank You
Special thanks goes to @J-GainSec for disclosure on #368
Vulnerability Fixes
Notes
CVEs:
Other improvements may come later to further address these CVEs based on feedback.
Releasing now to allow for users/deployments to update.
Ryan