GMS-2020-704: Open Redirect in apostrophe

September 3, 2020 (updated September 28, 2021)

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end.

Recommendation

Update to version 2.92.0 or later.

References

github.com/advisories/GHSA-h97g-4mx7-5p2p
github.com/apostrophecms/apostrophe/commit/1eba144bb82bd43dab72ce36cfbd593361b6d9b7
snyk.io/vuln/SNYK-JS-APOSTROPHE-451089
www.npmjs.com/advisories/1029

Detect and mitigate GMS-2020-704 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →