Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5bTItNmhxMi00cjNj

Cross-site Scripting in invenio-previewer

Cross-Site Scripting (XSS) vulnerability in JSON, Markdown and iPython Notebook previewers

Impact

Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.

Patches

Invenio-Previewer v1.0.0a12 fixes the issue.

Workarounds

You can remediate the vulnerability without upgrading by disabling the affected previewers. You do this by adding the following to your configuration:

PREVIEWER_PREFERENCE = [
    'csv_dthreejs',
    'simple_image',
    # 'json_prismjs',
    'xml_prismjs',
    # 'mistune',
    'pdfjs',
    # 'ipynb',
    'zip',
]

Afterwards, you should not be able to preview JSON, Markdown or iPython Notebook files.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-j9m2-6hq2-4r3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5bTItNmhxMi00cjNj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 2 months ago


CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-j9m2-6hq2-4r3c, CVE-2019-1020019
References: Repository: https://github.com/inveniosoftware/invenio-previewer
Blast Radius: 10.9

Affected Packages

pypi:invenio-previewer
Dependent packages: 6
Dependent repositories: 62
Downloads: 7,605 last month
Affected Version Ranges: <= 1.0.0a11
Fixed in: 1.0.0a12
All affected versions: 0.1.0, 1.0.0-a10, 1.0.0-a11
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.4.0, 1.5.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1