Skip to content

v1.3.2

Latest
Compare
Choose a tag to compare
@jordigh jordigh released this 20 Dec 21:58
· 7 commits to main since this release

What's Changed

  • Preliminary work for a SCIM API endpoints
  • New translations and minor fixes

Security advisory

A set of XSS vulnerabilities were found in Grist by a private bug bounty program funded by DINUM (the Interministerial Digital Directorate of the French government).

  • A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs.
    • Mitigation: restricted custom widget URLs and form redirect URLs to http(s) schemes.
  • A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page.
    • Mitigation: added an appropriate content security policy for attachments.
  • A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page.
    • Mitigation: restricted HyperLink cell links to http(s) schemes.

Versions prior to 1.3.2 are known to be vulnerable. Please upgrade.

These advisories are also documented in our security advisory page.

Thanks to @spawnzii for initially reporting these security vulnerabilities.

Full Changelog: v1.3.0...v1.3.2