Cross-site scripting (XSS)
Synopsis
A vulnerability has been found in Kallithea.
Description
This vulnerability allows someone with write access to a repository to craft a README.md file that will influence the Kallithea web interface for users visiting the landing page for that repository (which displays the README).
This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).
Resolution
The issue is fixed by Mads Kiilerich in release 0.3.6. Users are advised to upgrade as soon as possible.
Affected versions
As far as we know, the issue is present in all previously released Kallithea versions.
References
- Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/5746cc3b3fa5a1b8735ba914823b44550b406c15