Fix XSS vulnerability (CVE-2022-29360) (!4) · Merge requests · Debian JavaScript Maintainers / rainloop

glop requested to merge glop/rainloop:fix/cve-2022-29360 into master May 16, 2022

Hello!

A stored cross-site-scripting (XSS) vulnerability is present in Rainloop v1.16.0 (since v1.10.5.192, or maybe earlier). The vulnerability along with an easy-to-reproduce exploit have been made public on April 19th. See https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw/ for more details.

Since upstream doesn't seem to be doing anything regarding this issue, this MR proposes to directly apply the fix by Simon Scannell from the above blog post. I've tried it on a self-administered instance of Rainloop: this indeed fixes the vulnerability.

Thank you!

Fix XSS vulnerability (CVE-2022-29360)

Merge request reports