CVE-2024-51498

Name of the Vulnerable Software and Affected Versions cobalt versions prior to 10.2.1

Description A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit 66bac03e and was mitigated in commit 97977efa for correctly configured web instances.

Recommendations For versions prior to 10.2.1, upgrade to version 10.2.1 or later to fully resolve the issue. For users unable to upgrade, enable a content-security-policy as a temporary mitigation measure.