Djblets 0.9.2 Release Notes¶
Release date: March 1, 2016
Security Updates¶
Fixed a Self-XSS vulnerability in the
djblets.datagrid
column headers.A recently-discovered vulnerability in the datagrid templates allows an attacker to generate a URL to any datagrid page containing malicious code in a column sorting value. If the user visits that URL and then clicks that column, the code will execute.
The cause of the vulnerability was due to a template not escaping user-provided values.
This vulnerability was reported by Jose Carlos Exposito Bueno (0xlabs).
Contributors¶
Christian Hammond
Jose Carlos Exposito Bueno (0xlabs)