Grist logo

Grist

Grist is the evolution of spreadsheets

Alternative to: airtable, google sheets, excel online, smartsheet


About Versions (64)

v1.3.2

2024-12-20

What’s Changed

  • Preliminary work for a SCIM API endpoints
  • New translations and minor fixes

Security advisory

A set of XSS vulnerabilities were found in Grist by a private bug bounty program funded by DINUM (the Interministerial Digital Directorate of the French government).

  • A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs.
    • Mitigation: restricted custom widget URLs and form redirect URLs to http(s) schemes.
  • A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page.
    • Mitigation: added an appropriate content security policy for attachments.
  • A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page.
    • Mitigation: restricted HyperLink cell links to http(s) schemes.

Versions prior to 1.3.2 are known to be vulnerable. Please upgrade.

These advisories are also documented in our security advisory page.

Thanks to @spawnzii for initially reporting these security vulnerabilities.

Full Changelog: https://github.com/gristlabs/grist-core/compare/v1.3.0…v1.3.2