🔒 Security
This release patches two critical stored XSS vulnerabilities that allowed unprivileged users to exfiltrate all secrets stored in Anchorr (Discord token, API keys, JWT secret, password hashes) by injecting JavaScript into the admin dashboard.
All users are strongly encouraged to update immediately.
GHSA-qpmq-6wjc-w28q — Stored XSS via Discord member display names
Reported by @xdnewlun1
The Discord member dropdown rendered display names via innerHTML without sanitization. A guild member with a crafted display name could inject scripts that executed in the admin's browser session and exfiltrated credentials via GET /api/config.
GHSA-6mg4-788h-7g9g — Stored XSS via Jellyseerr usernames
Reported by @Rex50527
Jellyseerr usernames were injected into the dashboard via innerHTML without escaping. A Jellyseerr account with a crafted username could trigger the same credential exfiltration chain.
What was fixed
- DOM API rewrite: Discord member dropdown now uses
createElement/textContent— display names are treated as data, never markup - Avatar URL validation: Avatar URLs validated against
cdn.discordapp.combefore being set asimg.src - i18n sanitization: Translation strings are sanitized before
innerHTMLinjection — strips<script>, event handlers, andjavascript:URLs while preserving safe markup - Config sanitization: Sensitive fields are masked before being sent to the browser; the server detects masked placeholders on save to prevent credential loss
- JWT token revocation: Tokens now carry a
jticlaim; logout immediately invalidates the token server-side - Security response headers:
X-Frame-Options,X-Content-Type-Options,X-XSS-Protection,Referrer-Policy - Auth rate limiting: Login and register endpoints limited to 20 requests per 15 minutes per IP
🚀 Improvements
- Dynamic version display: Dashboard footer and About section now show the live version from the server
Credits
Vulnerabilities reported by @xdnewlun1 and @Rex50527.