Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5bTItNmhxMi00cjNj

Cross-site Scripting in invenio-previewer

Cross-Site Scripting (XSS) vulnerability in JSON, Markdown and iPython Notebook previewers

Impact

Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.

Patches

Invenio-Previewer v1.0.0a12 fixes the issue.

Workarounds

You can remediate the vulnerability without upgrading by disabling the affected previewers. You do this by adding the following to your configuration:

PREVIEWER_PREFERENCE = [
    'csv_dthreejs',
    'simple_image',
    # 'json_prismjs',
    'xml_prismjs',
    # 'mistune',
    'pdfjs',
    # 'ipynb',
    'zip',
]

Afterwards, you should not be able to preview JSON, Markdown or iPython Notebook files.

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-j9m2-6hq2-4r3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5bTItNmhxMi00cjNj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago

CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-j9m2-6hq2-4r3c, CVE-2019-1020019
References:

• https://github.com/inveniosoftware/invenio-previewer/security/advisories/GHSA-j9m2-6hq2-4r3c
• https://nvd.nist.gov/vuln/detail/CVE-2019-1020019
• https://github.com/advisories/GHSA-j9m2-6hq2-4r3c

Repository: https://github.com/inveniosoftware/invenio-previewer
Blast Radius: 10.9

Affected Packages