Releases: boxmeup/Boxmeup
v2.4.6
An XSS security vulnerability was reported by Stas Kravchenko. The container title was not being sanitized on output in the container view or print label view and was allowing potential unwanted javascript execution. This has been patched and deployed.
Original report (Aug 23, 2020, 8:10 AM EST):
Details:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output, it generates without validating or encoding it.Payload:
"><img src=x onerror=alert(1)>PoC:
Recommendations:
- Always encode untrusted data (all parameters which are submitted to the server and then rendered as part of the web page) prior to including it in web pages. The type of encoding should be selected according to the context in which the data is inserted, e.g. HTML element, HTML attribute, etc;
- HTML encoding should at minimum target the following characters: '(single quote), "(double quote), >(greater than), <(lesser than), &(ampersand), /(forward slash) and \ (backslash) but again this will depend on the context.
- Validate user input (including all hidden fields) and verify it is of the proper length, type, and range;
- Input validation should be based on a white-list approach (i.e. the the application should accept and process only expected input) whenever possible;
- Always implement input validation on the server-side; validation made on the client-side cannot be relied on;
- It is important to use common and proven output encoding and input validation libraries/functions.
Reference:
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
v2.4.5: Merge pull request #267 from cjsaylor/remove-status-blog
Removed blog and status links.
v2.4.4: Merge pull request #266 from cjsaylor/dockerize
Interface improvements
Added ability to select a location when adding a container.
Implemented transaction email provider service.
Emails now are sent via a third party email provider (mailgun).
Composer bug fix and password reset fix.
Merge pull request #168 from cjsaylor/2.4.1 2.4.1
Composer support and bug fixes
Dropped support for git submodules in favor of composer.
- Added support for substring searches.
- Fixed various display issues.
- Fixed unauthorized users attempting to access containers not belonging to them from showing an empty container view page (now shows an actual error page with a 403 response code).
See all changes here: #166
Fixed forgot password link
Merge pull request #162 from cjsaylor/2.3.1 Added missing route for forgot password link.
Revamped API to utilize oauth
You can see new instructions for the API at /developer (http://boxmeupapp.com/develoepr).
Updated bootstrap to stable 3.0
Also added spacelabs theme.