Overpass v0.7.55.7 fixes vulnerability

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Overpass v0.7.55.7 fixes vulnerability

Roland Olbricht
Hello everybody,

a new update of Overpass API is available. As this fixes a security
issue, I strongly encourage you to install the fix right now.
The release is as usual available via
https://dev.overpass-api.de/releases/
resp.
https://dev.overpass-api.de/releases/osm-3s_v0.7.55.7.tar.gz
The public servers have already been updated.

The issue is XSS, i.e. you can place arbitrary HTML such that it appears
to originate from the Overpass server by sending a crafted request to
the server. No personal data has been leaked because Overpass servers do
not process any. No attack in the wild is known so far. Details will
follow in a couple of days.

I would like to thank the people that have reported the vulnerability.

Best regards,

Roland