Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
UserAward 1.4.1 Addon Security Flaw
This addon allows anyone to post arbitrary HTML/Javascript into a page by injection via the Notes field when creating an award.
0
Comments
I just clean the NOTES output with strip_tags() and call it a day. Sorry!