npm

Severity: high

Cross-Site Scripting

jingo

Overview

Versions of jingo prior to 1.9.2 are vulnerable to Cross-Site Scripting (XSS). If malicious input such as <script>alert(1)</script> is placed in the content of a wiki page, Jingo does not properly encode the input and it is executed instead of rendered as text.

Remediation

Upgrade to version 1.9.2

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Dec 18th, 2018
  2. reported

    Reported by Bob "Wombat" Hogg
    Dec 18th, 2018