~petersanchez/public-inbox

Security fix: django-impersonate 1.9.3 release

Details
Message ID
<t5pgizrp24etpcgo3sdbt2kvtmltwjybjzojg7tknuhpr56ffx@vmsradru5t34>
DKIM signature
missing
Download raw message
Hi All,

Anyone using django-impersonate versions 1.9.2 and below (which as of
this writing is literally everyone using the app) needs to upgrade as
soon as they can to version 1.9.3, which I just pushed to pypi.

https://pypi.org/project/django-impersonate/1.9.3/

There was a XSS security vulnerability in previous versions. It requires
a specially crafted URL and an authorized user (a user who has access to
impersonate another user) to click on it. It can be used to run JS code
on the authorized users browser.

Please see the fix commit here:

https://hg.code.netlandish.com/~petersanchez/django-impersonate/rev/06991a735f290884eec08effb3fa31ed45cc26e5

Thanks,

Peter
Reply to thread Export thread (mbox)