A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code.
The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file. Uploading still requires login. However, an attacker with credentials could damage the integrity of the Koji system.
Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around deny list paths for build submission.
SQL injection vulnerabilities have been found in multiple call handlers in Koji’s hub code. An anonymous attacker can use these vulnerabilities to issue arbitrary database commands.
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.