Skip to content

OpenOversight 0.6.5
Compare
Choose a tag to compare
@r4v5 r4v5 released this 21 May 03:15
· 253 commits to develop since this release
v0.6.5
9c057fa
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

This release contains security updates:

Tenable reported multiple vulnerabilities in OpenOversight version 0.6.4. As the codebase for OpenOversight grew, it appears coverage for CSRF protection was not fully added in. 🤕

A remote, unauthenticated attacker was able to submit bad data for image identification tasks, delete, enable, disable, and approve users, and delete incidents as well as links, notes, and descriptions on individual police officers by exploiting cross-site request forgery vulnerabilities.

Additionally, a remote, authenticated attacker with administrator privileges in OpenOversight could inject malicious JavaScript when creating a new officer rank, which would then run when another administrator attempted to delete this rank, provided it was associated with an officer.

Assets 2
Loading