Red Hat Quay has a persistent XSS vulnerability when displaying a repositories email notification. An attacker who can trick a user into performing a malicious action can use this flaw to impersonate the target user.
Name: Chen Cohen (eBay)
Issue already tracked here https://issues.redhat.com/browse/PROJQUAY-1344.
Our recommendation is to add input validation and sanitization to all user inputs in the service.
This issue has been addressed in the following products:
Red Hat Quay 3
Via RHSA-2021:0050 https://access.redhat.com/errata/RHSA-2021:0050
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):