Impact
This vulnerability could have allowed an attacker to execute JavaScript code giving the attacker access to the user's current session if the user clicked on a malicious link from a crafted page on readthedocs.com. This was due to our application linking to a user given value without checking if it has a valid protocol.
Read the Docs Community (https://readthedocs.org) isn't affected by this vulnerability. Users of https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 11.12.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly.
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)
stsewd Finder
Impact
This vulnerability could have allowed an attacker to execute JavaScript code giving the attacker access to the user's current session if the user clicked on a malicious link from a crafted page on
readthedocs.com. This was due to our application linking to a user given value without checking if it has a valid protocol.Read the Docs Community (https://readthedocs.org) isn't affected by this vulnerability. Users of https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
This vulnerability was present in our private version of Read the Docs, custom installations aren't affected.
Patches
This vulnerability has been patched with our 11.12.0 release.
References
This vulnerability has been fixed in our private code, we can't share this patch publicly.
For more information
If you have any questions or comments about this advisory, email us at [email protected] (PGP)