CVE-2022-41905 WebDAV server WSGI is vulnerable to XSS attacks, which has been patched in version 4.1.0.

When using the `WebDAV backend for file storage (S3 or Rackspace) or email storage`, do not enable Cookies or Access Control. When using the `File storage backend`, set `file_storage.file_type = “STANDARD”` to avoid XSS attacks. When using the `Email storage backend`, do not enable cookies or access control. When using the `File storage backend`, set `file_storage.file_type = “STANDARD”` to avoid XSS attacks. When using the `Email storage backend`, do not enable cookies or access control. When using the `File storage backend`, set `file_storage.file_type = “STANDARD”` to avoid XSS attacks. When using the `Email storage backend`, do not enable cookies or access control. When using the `File storage backend`, set `file_storage.file_type = “STANDARD”` to avoid XSS attacks.

Credit: The initial analysis of this vulnerability was done by https://www.linkedin.com/in/lakshmivi and covered in the original blog post.

Timeline

Published on: 11/11/2022 21:15:00 UTC
Last modified on: 11/16/2022 18:10:00 UTC

References

• https://github.com/mar10/wsgidav/commit/e9606ab0f42f4c1a6611bc3c52de299b0aba7726
• https://github.com/mar10/wsgidav/security/advisories/GHSA-xx6g-jj35-pxjv
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41905