...
- Release candidate 3 (VIVO 1.14.0)
- Published and a couple of issues reported to Georgy
- https://github.com/vivo-project/Vitro/pull/407
- https://github.com/vivo-project/Vitro/pull/408
- https://github.com/vivo-project/Vitro/pull/409
- Release candidate 4
- Vulnerability
- https://vivo-project.slack.com/archives/C8RL9L98A/p1687378615914659
The penetration testers contacted me with an additional finding for the VIVO server. This one relates to a issue with input not being sanitized for special characters, which could then be used to exploit the site. They consider this a high severity vulnerability and documenting it as a reflected cross site scripting vulnerability. The provided an example of exploiting the issue with the below URL.https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332
- Publication claiming
- https://vivo-project.slack.com/archives/C8SDQQYJ2/p1687364277662029
- Good afternoon all,I have a question about restricting publication claiming. In the 1.11.x release notes, publication claiming is noted as being available to anyone who has the ability to edit in VIVO, whether that be the ability to edit only their profile or edit others. Is there a way to restrict this to be an admin-only privilege?
Notes
A couple of new issues have been recorded related to the Vitro code base. All have been resolved and merged into the main branch. Dragan will generate VIVO 1.14.0 Release candidate 4.
The vulnerability https://vivo.mydomain.edu/visualizationAjax?vis=capabilitymap&query=291822&callback=ipretResultsoesic<script>alert(1)<%2fscript>cwz3i&noCacheIE=1687235208332 is still present in VIVO 1.14.0 release candidate. Not sure what is causing this issue. Dragan will respond to slack message.
Probably claiming publication is linked with privileges to edit a profile. Once this PR (https://github.com/vivo-project/VIVO/pull/3887) is merged, it will be quite easy to define this as a separate privilege. Therefore, this issue might be resolved by configuration of VIVO 1.15.0+. Georgy can present how it might be done after summer break.
Actions
- Dragan Ivanovic to prepare release candidate 4
- Georgy Litvinov to align https://vivo.tib.eu/vivorc/ with release candidate 4
- Dragan Ivanovic to respond to slack messages
Previous actions
- Dragan Ivanovic will try to collect wiki pages where strategy, vision and roadmap for development of VIVO were discussed in the past
- Georgy Litvinov will try to address the issue https://github.com/vivo-project/VIVO/issues/3871
- Dragan Ivanovic will ask Michael to open a GitHub ticket for the issue about UF performance during login (https://vivo-project.slack.com/archives/C8RL9L98A/p1684174222986709), Brian Lowe and others can continue discussion about this issue once a ticket is open
- Dragan Ivanovic will ask Rodrigo to open a GitHub ticket for the issue about custom theme and VIVO Docker (https://vivo-project.slack.com/archives/C8RL9L98A/p1684962021101889), William Welling and others can continue discussion about this issue once a ticket is open
- Brian Lowe to open a GitHub issue for index page exception
- https://github.com/vivo-project/VIVO/issues/3867
- add sample (minimal RDF to reproduce the issue)
- Miloš Popović or Ivan Mrsulja to review (https://github.com/vivo-project/VIVO/issues/3862)
- Georgy Litvinov to review (https://github.com/vivo-project/VIVO/issues/3847)
- Review (https://github.com/vivo-project/VIVO/issues/3865)
- Review (https://github.com/vivo-project/VIVO/issues/3864)
- Review (https://github.com/vivo-project/VIVO/issues/3858)
- Review (https://github.com/vivo-project/VIVO/issues/3859)
- Review (https://github.com/vivo-project/VIVO/issues/3855)
- Review (https://github.com/vivo-project/VIVO/security/dependabot/3)
...