summaryrefslogtreecommitdiffstats
path: root/CHANGELOG.md
diff options
context:
space:
mode:
authorLauri Ojansivu <x@xet7.org>2020-03-23 22:49:28 +0200
committerLauri Ojansivu <x@xet7.org>2020-03-23 22:49:28 +0200
commitec71849d84a7274f6c60d39ee7f041e6a87e127c (patch)
tree2c1c701e5a05c305ce23a7d1cba6f839ee8b0d9b /CHANGELOG.md
parent482682e50079d70c5113169020d6834013b57c11 (diff)
downloadwekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.gz
wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.tar.bz2
wekan-ec71849d84a7274f6c60d39ee7f041e6a87e127c.zip
Update ChangeLog.
Diffstat (limited to 'CHANGELOG.md')
-rw-r--r--CHANGELOG.md14
1 files changed, 11 insertions, 3 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 79b141eb..f13a7d15 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,16 @@
# Upcoming Wekan release
-This release fixes the following bugs:
-
--
+This release fixes the following SECURITY VULNERABLITIES:
+
+- [Fix XSS bug reported today 4 hours ago by Cyb3rjunky](https://github.com/wekan/wekan/commit/482682e50079d70c5113169020d6834013b57c11).
+ Logged in users could run javascript in input fields.
+ This affects Wekan versions v3.12-v3.84.
+ In [Wekan v3.12](https://github.com/wekan/wekan/blob/master/CHANGELOG.md#v312-2019-08-09-wekan-release)
+ there was [changes for XSS filter to allow inserting images, videos etc
+ on comment WYSIWYG editor](https://github.com/wekan/wekan/pull/2593)
+ so features related to that are now removed.
+ After this fix, Javascript in input fields is not executed.
+ Thanks to Cyb3rjunky and xet7.
Thanks to above GitHub users for their contributions and translators for their translations.