Limited XSS flaw in 2.1 - simple workaround
In Vanilla 2.1, it may be possible for a user to get Javascript to run on their own profile page IF:
- You are using the Profile Extender addon AND...
- You have a field precisely named
TwitterorGoogle+
If you are NOT using Profile Extender or simply do not have any fields with those names, you have no issue and do not need to take any action.
The workaround is to name those fields anything else until 2.1.1 is released. The names must be an exact string match on one of the 3 names above for the exploit to be open. Simply adding an underscore or a number on the end of the field label would mitigate it entirely.
To do this, go to Profile Fields in your Dashboard and click "Edit" on the field you wish to change the name of. If you do not have a Profile Fields section in your Dashboard, you are definitely NOT effected by this issue and need take no further action.
Because this flaw has a very small scope with an easy workaround and 2.1.1 is already scheduled for August, we're not expediting the 2.1.1 release further to address it. Please simply make the change above as needed.
Comments
If you are a developer or don't mind editing code, the patch is here: https://github.com/vanilla/vanilla/commit/d358fbb7131082f4c5e8ce6a5811fe1a3871d263
If you previously upgraded your Profile Extender addon beyond the 2.1 version (i.e. you grabbed the version off
masterbranch) you should upgrade to the latest version there now or minimally implement the patch on line 185 above - that is the core of the issue. The line number will be different in your version, of course.