Skip to content

XSS vulnerability via published html report in build spec

Moderate
robinshine published GHSA-x32j-7pm6-fp8w Jan 30, 2021

Package

No package listed

Affected versions

<4.1.3

Patched versions

4.1.3

Description

Impact

As long as a user is allowed to push to a repository, the user can edit build spec of his branch to publish arbitrary content as html report during build. This leads to XSS vulnerability when other users views the html report via OneDev web interface.

Patches

This issue has been fixed in 4.1.3 by removing the html report publish ability

Severity

Moderate

CVE ID

No known CVE

Weaknesses

No CWEs