Cross-site scripting (XSS)
A vulnerability has been found in Kallithea.
This vulnerability allows a normal user to inject code into pages viewable by other users/visitors of Kallithea (XSS).
This issue was found and reported by:
Kacper Szurek (https://security.szurek.pl/).
The issue is fixed by Mads Kiilerich in release 0.3.5. Users are advised to upgrade as soon as possible.
To detect a possible breach, users should verify the presence of unexpected newly created repository groups inside Kallithea.
As far as we know, the issue is present in all previously released Kallithea versions.
- Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/64d41568507ce86f9fc601933f1cb0b4c8caddca