CVE-2024-51498

cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit 66bac03e, was mitigated in commit 97977efa (correctly configured web instances were no longer vulnerable) and fully fixed in commit c4be1d3a (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy.