Impact
This vulnerability could have allowed an attacker to execute JavaScript code, giving the attacker access to the user's current session if the user performed an action that reflected a malicious input in an error message. This was due to our application not correctly escaping the content of these messages.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild, and we weren't able to find any point of direct exploitation in our application (where unrestricted user input is reflected into the messages without high user interaction).
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation with the new theme enabled, we recommend you to upgrade.
Patches
This vulnerability has been patched with our 11.19.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)
stsewd Finder
Impact
This vulnerability could have allowed an attacker to execute JavaScript code, giving the attacker access to the user's current session if the user performed an action that reflected a malicious input in an error message. This was due to our application not correctly escaping the content of these messages.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild, and we weren't able to find any point of direct exploitation in our application (where unrestricted user input is reflected into the messages without high user interaction).
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation with the new theme enabled, we recommend you to upgrade.
Patches
This vulnerability has been patched with our 11.19.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)