=============
CVE-2024-9427
=============

New XSS attack on kojiweb

Summary
-------

An unsanitized input allows for an XSS attack. Javascript code from a malicious
link could be reflected in the resulting web page. At present, we do not
believe that this can be used to submit an action or make a change in Koji due
to existing XSS protections in the code. Even so, this is a serious issue and
we recommend applying this update promptly.

Bug fix
-------

We are releasing updates for affected versions of Koji from within the
past year.
The following releases all contain the fix:

- 1.35.1
- 1.34.3
- 1.33.2

Anyone using a Koji version older than a year should update to a more
current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work
onto the appropriate update release. Please see Koji
`issue #4204 <https://pagure.io/koji/issue/4204>`_ for the code details.

As with all changes to web code, you must restart httpd for the changes to
take effect.

Links
-----

Fixed versions can be found at our releases page:

    https://pagure.io/koji/releases