I've been playing with the new Bodhi UI at bodhi.stg.fedoraproject.org.
I've created an update with the name of <script>alert("...");</script>
<script>alert("...");</script>
It alerts... https://bodhi.stg.fedoraproject.org/updates/FEDORA-EPEL-2019-7d02767bc3
I've reproduced the issue on production bodhi as well, but I have removed the alert.
Thanks for the report churchyard
We have the same problem with the Required Taskotron checks field.
Required Taskotron checks
@puiterwijk Could you give us a CVE number for this issue?
@abompard is patching the rpm and will update production. Then we can make this ticket public.
Prod is patched, the fix is in bodhi PR #3657 and will be backported to all active branches.
Staging is fixed as well. Thanks.
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: bodhi, security
Marking this public since the associated pull request is public.
Metadata Update from @bowlofeggs: - Issue private status set to: False (was: True)
Our instances are fixed, so I think we can close this now. Please re-open if there's anything further we need to do here...
:palm_tree:
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.