Hangfire v1.6.26 Release Notes
Release Date: 2019-05-23 // almost 5 years ago-
๐ Release Notes
๐ This version contains security fixes to prevent possible XSS attacks as described in #1441. They don't relate to user data submitted to Hangfire directly via method arguments, but it's recommended to upgrade anyway. If you are using Hangfire 1.7, please upgrade to version 1.7.3 instead.
๐ฆ Affected Packages Hangfire.Core โค 1.6.25, 1.7.0, 1.7.1, 1.7.2 Affected Platforms All, including .NET Core, .NET Framework, Mono of any version
Steps to reproduce
public static void Xss() { BackgroundJob.Enqueue(() =\> Xss2()); }public static void Xss2() { throw new Exception("\<script\>alert(1);\</script\>"); }
Hangfire.Core
- ๐ SECURITY โ Use
HtmlEncode
in all remaining places in Dashboard UI to prevent XSS attacks.
- ๐ SECURITY โ Use