Today we are releasing Ember.js 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3 to patch a security vulnerability. A CVE number is pending and this post will be updated to include it once it's been issued.
Apps that pass untrusted input as paths to EmberObject.setProperties
or EmberObject.set
, or the corresponding standalone functions setProperties
or set
, may get surprising results that, in combination with other application bugs, could lead to cross-site scripting vulnerabilities.