Skip to content

XSS: Allow serving of arbitrary HTML files from main domain

Moderate
ericholscher published GHSA-98pf-gfh3-x3mp Nov 9, 2022

Package

Read the Docs (Python)

Affected versions

< 8.8.1

Patched versions

8.8.1

Description

Impact

This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs.org/readthedocs.com) by exploiting a vulnerability in the code that serves downloadable content from a project.

Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf of the user). This URL would have looked something like https://readthedocs.org/projects/attacker-project/downloads/html/version-with-javascript-attack/.

Patches

This issue has been patched in our 8.8.1 release.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Credits