Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4aDMtbXZ2Ny0yNjVq

Cross-site scripting invenio-records

Cross-Site Scripting (XSS) vulnerability in administration interface

Impact

A Cross-Site Scripting (XSS) vulnerability was discovered when rendering JSON for a record in the administration interface. The vulnerability could be exploited by e.g. a user who had access to upload a new record, that an admin user would then later view in the admin interface.

Patches

All supported versions of Invenio-Records have been patched. You should upgrade to either v1.0.1, v1.1.1 or v1.2.2

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-vxh3-mvv7-265j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZ4aDMtbXZ2Ny0yNjVq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 2 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-vxh3-mvv7-265j, CVE-2019-1020003
References:

• https://github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265j
• https://nvd.nist.gov/vuln/detail/CVE-2019-1020003
• https://github.com/advisories/GHSA-vxh3-mvv7-265j
• https://github.com/pypa/advisory-database/tree/main/vulns/invenio-records/PYSEC-2019-27.yaml

Repository: https://github.com/inveniosoftware/invenio-records
Blast Radius: 11.0

Affected Packages