This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project.
Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf of the user). This URL would have looked something like hxxps[:]//readthedocs[.]org/projects/attacker-project/downloads/html/version-with-javascript-attack/
.
This issue has been patched in our 8.8.1 release.
{ "github_reviewed_at": "2022-11-10T16:02:51Z", "github_reviewed": true, "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE" }