Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdmZjMtNzM5Yy1neGZx
Reflected cross-site scripting issue in Datasette
Datasette is an open source multi-tool for exploring and publishing data. The ?_trace=1
debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace=
or &_trace=
in their query string parameters.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdmZjMtNzM5Yy1neGZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-gff3-739c-gxfq, CVE-2021-32670
References:
- https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- https://nvd.nist.gov/vuln/detail/CVE-2021-32670
- https://github.com/simonw/datasette/issues/1360
- https://datasette.io/plugins/datasette-auth-passwords
- https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
- https://pypi.org/project/datasette/
- https://github.com/advisories/GHSA-gff3-739c-gxfq
Blast Radius: 17.7
Affected Packages
pypi:datasette
Dependent packages: 104Dependent repositories: 285
Downloads: 46,612 last month
Affected Version Ranges: < 0.56.1
Fixed in: 0.56.1
All affected versions: 0.22.1, 0.23.1, 0.23.2, 0.25.1, 0.25.2, 0.26.1, 0.26.2, 0.27.1, 0.29.1, 0.29.2, 0.29.3, 0.30.1, 0.30.2, 0.31.1, 0.31.2, 0.37.1, 0.47.1, 0.47.2, 0.47.3, 0.49.1, 0.50.1, 0.50.2, 0.51.1, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.54.1
All unaffected versions: 0.56.1, 0.57.1, 0.58.1, 0.59.1, 0.59.2, 0.59.3, 0.59.4, 0.60.1, 0.60.2, 0.61.1, 0.63.1, 0.63.2, 0.63.3, 0.64.1, 0.64.2, 0.64.3, 0.64.4, 0.64.5, 0.64.6