CVE-2020-15856

XSS attack on kojiweb

Summary

Web interface can be abused by XSS attack. Attackers can supply subversive HTTP links containing malicious javascript code. Such links were not controlled properly, so attackers can potentially force users to submit actions which were not intended. Some actions which can be done via web UI can be destructive, so updating to this version is highly recommended.

Bug fix

We are releasing updates for affected versions of Koji from within the past year. The following releases all contain the fix:

  • 1.23.1

  • 1.22.2

  • 1.21.2

Anyone using a Koji version older than a year should update to a more current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. Please see Koji issue #2645 for the code details.

As with all changes to web code, you must restart httpd for the changes to take effect.