If an attacker is able to inject code that is only rendered for themselves (as the PoC showed) then we shouldn't be too worried and we can fix in public. If there are other exploit vectors where an attacker can inject templates that are rendered for others then it's a more serious issue.
Is this a new issue or something we'll have to backport?
If an attacker is able to inject code that is only rendered for themselves (as the PoC showed) then we shouldn't be too worried and we can fix in public. If there are other exploit vectors where an attacker can inject templates that are rendered for others then it's a more serious issue.
Is this a new issue or something we'll have to backport?