Mercurial > hg > orthanc
diff NEWS @ 5462:505416b269a0
Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity)
author | Alain Mazy <am@osimis.io> |
---|---|
date | Tue, 12 Dec 2023 10:13:49 +0100 |
parents | 8345267e8de5 |
children | 1dc6e4b7f5d8 |
line wrap: on
line diff
--- a/NEWS Mon Dec 11 16:18:57 2023 +0100 +++ b/NEWS Tue Dec 12 10:13:49 2023 +0100 @@ -91,6 +91,9 @@ * Upgraded minizip library to stay away from CVE-2023-45853 although Orthanc is likely not affected since zip filenames are based on DICOM Tag values whose length is limited in size. Great thanks to James Addison for notifying us about the vulnerability and patch to apply ! +* Fix XSS in Orthanc error reporting (as reported by Sébastien Doria, Vumetric Cybersecurity) by: + - always including a 'Content-Type' header in HTTP responses with a body. + - always including 'X-Content-Type-Options: nosniff' Version 1.12.1 (2023-07-04)