Read the Docs vulnerable to Cross-Site Scripting (XSS)
This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs.org/readthedocs.com) by exploiting a vulnerability in the code that serves downloadable content from a project. Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf …