Post · bonfire.cafe

Post

Log in

@hedgedoc@fosstodon.org · 2 weeks ago

We've just released #HedgeDoc 1.10.6 🎉

⚠️ This release contains two security fixes for filesystem hosted SVGs ⚠️

See our security advisory
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w
- https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-672m-p72w-gw28

Read the full changelog on https://hedgedoc.org/releases/1.10.6/

HedgeDoc - Ideas grow better together

HedgeDoc 1.10.6

Security fixes This release contains two medium severity security fixes: GHSA-x74j-jmf9-534w reports a bug where security headers for upload files were not set correctly. GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files. Thanks to @HUSEYNKHANLI and @drkim-dev for reporting!

Missing sanitization of SVG uploads

## Summary Maliciously crafted SVG files that were uploaded to HedgeDoc were able to execute JavaScript in the context of the instance's domain when being included into a note using `` t...

Security headers for uploaded files were not working

## Summary Due to a bug, files served below the `/uploads/` endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the po...

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.29 no JS en

Automatic federation enabled

Log in