Skip to content

2.8.2

Latest
Latest

Choose a tag to compare

View all tags
@colinodell colinodell released this 19 Mar 13:20
2.8.2
This tag was signed with the committer’s verified signature. The key has expired.
colinodell Colin O'Dell
GPG key ID: 60A4DAD272A01CB8
Expired
Verified
Learn about vigilant mode.
59fb075
This commit was signed with the committer’s verified signature. The key has expired.
colinodell Colin O'Dell
GPG key ID: 60A4DAD272A01CB8
Expired
Verified
Learn about vigilant mode.

This is a security release to address an issue where the allowed_domains setting for the Embed extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.

Fixed

  • Fixed DomainFilteringAdapter hostname boundary bypass where domains like youtube.com.evil could match an allowlist entry for youtube.com (GHSA-hh8v-hgvp-g3f5)

Full Changelog: 2.8.1...2.8.2

Assets 2
Loading