CVE-2019-13122

Name of the Vulnerable Software and Affected Versions Patchwork versions 1.1 through 2.1.x

Description A Cross Site Scripting (XSS) issue exists in the template tag used to render message ids. This allows an attacker to insert JavaScript or HTML into the patch detail page via an email sent to a mailing list consumed by Patchwork. The msgid function in templatetags/patch.py is affected.

Recommendations For versions prior to 2.1.4 and 2.0.4, update to version 2.1.4 or 2.0.4 to resolve the issue. As a temporary workaround, consider restricting access to the msgid function in templatetags/patch.py until a patch is available.