we have a new, shiny release: 2.5.1! This new version brings some bug
fixes and of course dependency upgrades.
Joe Thorpe from Secarma disclosed an XSS issue that was inadvertently
fixed in 2.5.0 by another bug fix. Tracks previously rendered XSS
content in the user’s own data. The content is only shown to the user
themself, which mitigates the vulnerability in the normal use case where
a single user account is only used by one person. The CVSS rating for
self-XSS is debatable and thus is not published for this issue.
I want to thank Joe for reporting the issue and for the insightful
discussion regarding the issue. Thanks to the disclosure there is now
also a written security policy for the project.
More details on the release can be found at
Jyri-Petteri ”ZeiP” Paloposki
Tracks principal maintainer