Kallithea Security Notice CVE-2015-1864

Multiple HTML and Javascript injections


Several vulnerabilities have been found in Kallithea, allowing attackers to inject malicious code into the administration pages.


HTML and Javascript injection was possible in several places in the Kallithea UI, allowing attackers to run malicious code.

User details (first name, last name) as well as repository, repository group and user group descriptions were pasted unfiltered into the HTML code, thus attacker could inject their code by setting their first name to, for example:

<img src="/images/kallithea-logo.svg" onload="alert('Hello, World!');">

This would display an alert every time users administration page. Used against a user with administrator's access, this can expose sensitive information:

<img src="/images/kallithea-logo.svg"
    a=new RegExp('[0-9a-z]{40}','g');alert('Your API key is:'+
    data.substr(data.search(a), 40));});">


As the vulnerability allows attacker to execute arbitrary code in the user's browser, it can be used to gain access to the user's account by stealing user's credentials, like API keys. In the case the user also has administrator rights, it is possible for the attacker to gain full administrator access to the Kallithea instance.


Kallithea project has fixed this issue, and issued a patch and a bugfix release.

Users are recommended to apply the patch or to upgrade to the latest 0.2.1 release.

Affected versions

The issue is currently present in Kallithea versions before 0.2.1.


Thanks to Nick High for reporting this issue.


  1. CVE-2015-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1864

  2. Kallithea: Security Notice CVE-2015-1864 https://kallithea-scm.org/security/cve-2015-1864.html

  3. Patch for the issue https://kallithea-scm.org/security/cve-2015-1864.patch

  4. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/a8f2986afc18c9221bf99f88b06e60ab83c86c55