A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server. To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component. The update addresses the vulnerability by adding output encoding to the HTML report blocking an attacker’s ability to initiate a JavaScript action. Additional details can be found in the Application Inspector project on GitHub.
Ahmad Khan <a href="https://twitter.com/ahmsec">@ahmsec</a>