A vulnerability was discovered that allowed JavaScript to be injected into the HTML view that renders channel content.
Codeux Software is not aware of any case in which this vulnerability was abused in the wild.
The vulnerability, which was discovered by Wladimir Palant, has existed since version 2.1.1 (mid-2012) of Textual.
Double quotes (") are allowed to appear inside a URL which means a person with malicious intent had the power to append code to the HTML anchor element which is used to turn a URL into a link.
The vulnerability was fixed by appropriately escaping the characters inside each URL.
This web page will be displayed to anyone who hovers their mouse pointer over the URL displayed below.
https://bing.com/#"onmouseover="eval(atob('d2luZG93LmxvY2F0aW9uPSdodHRwczovL2hlbHAuY29kZXV4LmNvbS90ZXh0dWFsL1NlY3VyaXR5LUFkdmlzb3J5LUphbnVhcnktMjAxNi0xLmtiJzs='))
This works by decoding the encoded data and evaluating it as JavaScript.
The encoded data, when decoded, is:
window.location='https://help.codeux.com/textual/Security-Advisory-January-2016-1.kb';