Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in build pages from the beta dashboard (https://beta.readthedocs.org/ and https://beta.readthedocs.com/) giving the attacker access to the user's current session if the user navigated to those pages. This was due to our application injecting the command and its result into the build page without escaping them.
Users of https://beta.readthedocs.org/ and https://beta.readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
Unless you were installing Read the Docs with its new beta theme, you shouldn't be affected by this security issue. We don't officially support custom installations of Read the Docs, but If you are using a custom installation with the new theme, we recommend you to upgrade to use the latest version of it.
Patches
This issue has been patched in our ext-theme repository together with our 10.24.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).
Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in build pages from the beta dashboard (
https://beta.readthedocs.org/andhttps://beta.readthedocs.com/) giving the attacker access to the user's current session if the user navigated to those pages. This was due to our application injecting the command and its result into the build page without escaping them.Users of https://beta.readthedocs.org/ and https://beta.readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
Unless you were installing Read the Docs with its new beta theme, you shouldn't be affected by this security issue. We don't officially support custom installations of Read the Docs, but If you are using a custom installation with the new theme, we recommend you to upgrade to use the latest version of it.
Patches
This issue has been patched in our ext-theme repository together with our 10.24.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP).