Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXh3N2Mtang5bS14aDVn

Reflected cross-site scripting issue in Datasette

Impact

The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability.

This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.

Patches

Datasette 0.57 and 0.56.1 both include patches for this issue.

Workarounds

If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace= or &_trace= in their query string parameters.

References

• OWASP guide to reflected cross-site scripting
• Datasette issue #1360

For more information

If you have any questions or comments about this advisory:

• Open a discussion in simonw/datasette
• Email us at swillison+datasette @ gmail.com

Permalink: https://github.com/advisories/GHSA-xw7c-jx9m-xh5g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXh3N2Mtang5bS14aDVn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Identifiers: GHSA-xw7c-jx9m-xh5g
References:

• https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
• https://github.com/advisories/GHSA-xw7c-jx9m-xh5g

Repository: https://github.com/simonw/datasette
Blast Radius: 17.7

Affected Packages