We got notified by security team regarding a security issue in our ffx-core library. We have released the patch versions for this issue in ffx-core library v11. ffx-core library v10 won’t be patched because we don’t support v10 anymore. If you still use library v10, you can upgrade it to v11 by following this guideline
We have pushed the commit for the update, you just need to cherry-pick these two commits c46b617efd63cd514ae843ff281790caf8cfdb3f and 27ff4bff288c5ed4035ad2beee9bbdfe658b17bf to your own branch.
If you use ffx-core library with versions v11.0.66 and before, v11.1.21 and before, and v11.2.17 and before, you need to update that library to the latest patch version depending on the minor version you currently use.
Should you have any questions regarding this, kindly ask it in this thread.
Update 27th January 2021: There is an issue reported by CTV team. If you use https:// in the corsConfig, the validation will fail. As the workaround, you can omit the https:// part from the corsConfig. We will release a patch later to make it backward-compatible.
Update 05th February 2021: The patch to fix the issue in previous update has been released (v11.0.70, v11.1.25, and v11.2.21)
This security issue allows the exploitation of CSRF (Cross-site Request Forgery). CSRF itself could be exploited to enforce victims to execute arbitrary actions such as booking, cancel booking, or account hijacking via external account.
More Info: https://risk-rating.vm.sec.tvlk.tech/?v=14997548655735594