Impact
DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue assignee list.
Patches
DisplayName is sanitized before upon retrieving from the database. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.
Workarounds
N/A
References
https://nvd.nist.gov/vuln/detail/CVE-2022-32174
For more information
If you have any questions or comments about this advisory, please post on #7145.
Impact
DisplayNameallows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue assignee list.Patches
DisplayNameis sanitized before upon retrieving from the database. Users should upgrade to 0.12.11 or the latest 0.13.0+dev.Workarounds
N/A
References
https://nvd.nist.gov/vuln/detail/CVE-2022-32174
For more information
If you have any questions or comments about this advisory, please post on #7145.