Red Hat Quay has a persistent XSS vulnerability when displaying a repositories email notification. An attacker who can trick a user into performing a malicious action can use this flaw to impersonate the target user.
Upstream commit: https://github.com/quay/quay/pull/613
Acknowledgments: Name: Chen Cohen (eBay)
Issue already tracked here https://issues.redhat.com/browse/PROJQUAY-1344. Our recommendation is to add input validation and sanitization to all user inputs in the service.
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0050 https://access.redhat.com/errata/RHSA-2021:0050
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27832