Mozilla Foundation Security Advisory 2021-32

Insecure Sharing of HTML/JS Files in Hubs Cloud Reticulum

Announced
July 14, 2021
Impact
high
Products
Hubs Cloud
Fixed in
  • Hubs Cloud mozillareality/reticulum/1.0.1/20210618012634

Hubs Cloud allows users to share content with other Hubs Cloud users. However, the implicit content type that was being used to serve HTML/JS files could give way to XSS vulnerabilities. To the best of our understanding, this issue was not abused in the wild. If you believe your Hubs Cloud instance has been abused, please contact Mozilla directly via hubs-support@mozilla.com

#CVE-2021-29979: Insecure Sharing of HTML/JS Files in Hubs Cloud Reticulum

Reporter
Muhammad R. Maulana
Impact
high
Description

Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instance’s primary hosting domain.

References