Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to the implementation of our search clients not correctly escaping all user content from search results.
The search integration from our main application (https://readthedocs.org/search, and https://readthedocs.com/search) isn't affected by this. Search clients affected by this are:
On Read the Docs community (*.readthedocs.io and custom domains) we don't use cookies on docs domains, so what an attacker can do there is very limited.
On Read the Docs for Business (*.readthedocs-hosted.com and custom domains) we make use of session cookies to allow access to private documentation. An attacker could have access to several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to.
Exploiting this vulnerability requires the user explicitly searching for a malicious project, or following a link when using our Search as you type extension, this malicious link would have looked like https://docs.example.com/en/latest/?rtd_search=project:<malicious-project> query.
Users using our search as you type Sphinx extension need to upgrade to a version higher than 0.3.1 and trigger a new build. Users not using that extension do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed in our other integrations that we have full control over. We have contacted users that have used this extension in the last six months, so they can upgrade.
This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This issue has been patched in our 10.15.1 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)
stsewd Analyst
Impact
This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to the implementation of our search clients not correctly escaping all user content from search results.
The search integration from our main application (https://readthedocs.org/search, and https://readthedocs.com/search) isn't affected by this. Search clients affected by this are:
On Read the Docs community (
*.readthedocs.ioand custom domains) we don't use cookies on docs domains, so what an attacker can do there is very limited.On Read the Docs for Business (
*.readthedocs-hosted.comand custom domains) we make use of session cookies to allow access to private documentation. An attacker could have access to several read-only APIs, namely the APIs used for search and embedded content, allowing the attacker to have access to content of projects which the user had access to.Exploiting this vulnerability requires the user explicitly searching for a malicious project, or following a link when using our Search as you type extension, this malicious link would have looked like
https://docs.example.com/en/latest/?rtd_search=project:<malicious-project> query.Users using our search as you type Sphinx extension need to upgrade to a version higher than
0.3.1and trigger a new build. Users not using that extension do not need to take any further action, we have taken measures to ensure that the security issue is now fully fixed in our other integrations that we have full control over. We have contacted users that have used this extension in the last six months, so they can upgrade.This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild.
Custom installations
We don't officially support custom installations of Read the Docs, but If you are using a custom installation, we recommend you to upgrade.
Patches
This issue has been patched in our 10.15.1 release.
References
For more information
If you have any questions or comments about this advisory, email us at security@readthedocs.org (PGP)