Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.
Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.
Impact This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords). The /-/api API explorer endpoint could reveal the names of both databases and tables - but not their contents - to an unauthenticated user. Patches Datasette 1.0a4 has a fix for this issue. Workarounds To work around …
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xw7c-jx9m-xh5g. This link is maintained to preserve external references. Original Description Datasette is an open source multi-tool for exploring and publishing data. The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as …
The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.
Cross-Site Request Forgery in datasette.