Cross-site scripting (XSS)

Synopsis

A vulnerability has been found in Kallithea in the 'Download as zip' and 'Compare' features of repositories.

Description

If an attacker has write access to a repository, they can create a branch, tag or bookmark with a name containing JavaScript.

Due to incorrect escaping of such names in the 'Download as zip' feature on the summary page of a repository, the potentially malicious JavaScript was evaluated when selecting that branch/tag/bookmark in the 'Select changeset' dropdown menu.

This issue was found and reported by:
Bob Hogg (wombat@rwhogg.site).

The same issue turned out to be present in the version selection dropdown menus of the 'Compare' feature of repositories.

Resolution

The issue is fixed in release 0.3.7. Users are advised to upgrade as soon as possible.

Affected versions

As far as we know, the issue is present in all Kallithea releases prior to 0.3.7.

References

Mercurial changesets fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/c9bd000a45675b1029fa19fd25b3db2c37169560 and https://kallithea-scm.org/repos/kallithea/changeset/04e44ea05c5fee8744879daf5b2c2e29051f8960

Kallithea Security Notice

Synopsis

Description

Resolution

Affected versions

References