Cross-site scripting (XSS)
A vulnerability has been found in Kallithea in the rendering of README files.
If a repository contains a 'README' file (in one of various formats, like README.md or README.rst) Kallithea will render it according to the used format.
For Markdown-formatted README files, this issue was already previously fixed in Kallithea 0.3.6, but it was overlooked that the same issue is present for other README formats.
This issue was found and reported by:
Bob Hogg (firstname.lastname@example.org).
The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.
As far as we know, the issue is present in all Kallithea releases prior to 0.3.7.
- Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/e74aa69f6827e1f6da4ae94ea2bcac10c98d0203