The fixes for this vulnerability are contained in pull requests #5141, #5142, and #5148 of the Panoptes Front End project on GitHub. Anyone running their own hosted copy of this should pull these changes as soon as possible.
Additional notes on our investigation are as follows:
- The vulnerability was introduced on 14 May 2015, in pull request 324.
- However, we audited the database but could find no evidence (other than our own tests) of this having been done by project owners.
- Our current solution is to sanitise all external/social links – both when taking input from users and when rendering them on webpages – and only allowing standard website URLs to pass.
As a side effect of our fixes, project owners are now unable to add non-standard website URLs to their project’s external links – for example,
https://example.com continues to work fine, but
mailto:firstname.lastname@example.org no longer does.
We apologise for any concern this issue may have caused.