Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdmZjMtNzM5Yy1neGZx

Reflected cross-site scripting issue in Datasette

Datasette is an open source multi-tool for exploring and publishing data. The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace= or &_trace= in their query string parameters.

Permalink: https://github.com/advisories/GHSA-gff3-739c-gxfq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdmZjMtNzM5Yy1neGZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Identifiers: GHSA-gff3-739c-gxfq, CVE-2021-32670
References:

• https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
• https://nvd.nist.gov/vuln/detail/CVE-2021-32670
• https://github.com/simonw/datasette/issues/1360
• https://datasette.io/plugins/datasette-auth-passwords
• https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
• https://pypi.org/project/datasette/
• https://github.com/advisories/GHSA-gff3-739c-gxfq

Repository: https://github.com/simonw/datasette
Blast Radius: 17.7

Affected Packages