Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at readme.md
For more information
If you have any questions or comments about this advisory:
Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at
readme.mdFor more information
If you have any questions or comments about this advisory: