GHSA-xw7c-jx9m-xh5g
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xw7c-jx9m-xh5g
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-xw7c-jx9m-xh5g/GHSA-xw7c-jx9m-xh5g.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xw7c-jx9m-xh5g
- Aliases
- Related
- Published
- 2021-06-07T21:47:41Z
- Modified
- 2024-11-26T05:38:13.757652Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Reflected cross-site scripting issue in Datasette
- Details
-
Impact
The
?_trace=1debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability.This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.
Patches
Datasette 0.57 and 0.56.1 both include patches for this issue.
Workarounds
If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with
?_trace=or&_trace=in their query string parameters.References
For more information
If you have any questions or comments about this advisory: * Open a discussion in simonw/datasette * Email us at
swillison+datasette @ gmail.com - Database specific
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2021-06-07T20:59:14Z", "severity": "MODERATE", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- https://github.com/simonw/datasette/issues/1360
- https://datasette.io/plugins/datasette-auth-passwords
- https://github.com/advisories/GHSA-gff3-739c-gxfq
- https://github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2021-89.yaml
- https://github.com/simonw/datasette
- https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
- https://pypi.org/project/datasette
Affected packages
PyPI / datasette
Package
- Name
- datasette
- View open source insights on deps.dev
- Purl
- pkg:pypi/datasette
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.56.1
Affected versions
0.*
0.8
0.9
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.22.1
0.23
0.23.1
0.23.2
0.24
0.25
0.25.1
0.25.2
0.26
0.26.1
0.26.2
0.27
0.27.1
0.28
0.29
0.29.1
0.29.2
0.29.3
0.30
0.30.1
0.30.2
0.31
0.31.1
0.31.2
0.32
0.33
0.34
0.35
0.36
0.37
0.37.1
0.38
0.39
0.40
0.41
0.42
0.43
0.44
0.45a0
0.45a1
0.45a2
0.45a3
0.45a4
0.45a5
0.45
0.46
0.47
0.47.1
0.47.2
0.47.3
0.48
0.49a0
0.49a1
0.49
0.49.1
0.50a0
0.50a1
0.50
0.50.1
0.50.2
0.51a0
0.51a1
0.51a2
0.51
0.51.1
0.52
0.52.1
0.52.2
0.52.3
0.52.4
0.52.5
0.53
0.54a0
0.54
0.54.1
0.55
0.56