Skip to content
This repository was archived by the owner on Mar 14, 2023. It is now read-only.

XSS in title construction

Low
RhinosF1 published GHSA-g4j7-qrgj-hrh4 Feb 7, 2021

Package

app.py (python)

Affected versions

before 2b93b46ed682c34bc6707e71d3786ce858b98983

Patched versions

2b93b46ed682c34bc6707e71d3786ce858b98983

Description

Impact

A maliciously crafted configuration file could cause an XSS in the page title. This requires access to the webserver.

Patches

https://github.com/MirahezeBots/mirahezebots.org/commit/2b93b46ed682c34bc6707e71d3786ce858b98983.patch

Workarounds

Replace

headr = headr.format(canonical=canonical, title=config['title'][path])

with

headr = headr.format(canonical=canonical, title=escape(config['title'][path]))

and add 'escape' to the 'from Flask import' list

References

https://phab.mirahezebots.org/T181

For more information

If you have any questions or comments about this advisory:

  • Open an issue via Phabricator
  • Email us at bots[at]miraheze[dot]org

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs