Impact
On various locations, user input was not properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. However, as the Content-Security-Policy forbids inline scripts and external scripts, it is not possible (or only in combination with other vulnerabilities) to execute JavaScript code.
Patches
Upgrade to Part-DB 1.0.2 or later for a fixed version.
Workarounds
There is no possibility to prevent this completely without upgrading. You should not click links to Part-DB given by untrusted users and only trusted users should have edit access to reduce the risk.
References
See this PR and the commits between v1.0.1 ... v1.0.2 which was affected exactly.
Impact
On various locations, user input was not properly escaped, which allowed malicious users to inject arbitrary HTML into the pages. However, as the Content-Security-Policy forbids inline scripts and external scripts, it is not possible (or only in combination with other vulnerabilities) to execute JavaScript code.
Patches
Upgrade to Part-DB 1.0.2 or later for a fixed version.
Workarounds
There is no possibility to prevent this completely without upgrading. You should not click links to Part-DB given by untrusted users and only trusted users should have edit access to reduce the risk.
References
See this PR and the commits between v1.0.1 ... v1.0.2 which was affected exactly.