Impact
This vulnerability could potentially allow a malicious user to serve arbitrary content under the main domain of documentation sites. To exploit this vulnerability, the project needs to have pull requests previews enabled, and the source repository to allow opening pull requests from untrusted users.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 9.7.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
stsewd Analyst
Impact
This vulnerability could potentially allow a malicious user to serve arbitrary content under the main domain of documentation sites. To exploit this vulnerability, the project needs to have pull requests previews enabled, and the source repository to allow opening pull requests from untrusted users.
Users of https://readthedocs.org/ and https://readthedocs.com/ do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This vulnerability has been patched in our 9.7.0 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)