GMS-2024-29: readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects
Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to our search client not correctly escaping all user content from search results. You can find more information in the advisory published in our readthedocs.org repo.
Users of this extension should update to the 0.3.2 version, and trigger a new build.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Patches
This issue has been patched in our 0.3.2 version.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
References
Detect and mitigate GMS-2024-29 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →