CVE-2021-32670: Reflected cross-site scripting issue in Datasette
(updated )
The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability.
This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.
References
- datasette.io/plugins/datasette-auth-passwords
- github.com/advisories/GHSA-gff3-739c-gxfq
- github.com/advisories/GHSA-xw7c-jx9m-xh5g
- github.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2021-89.yaml
- github.com/simonw/datasette
- github.com/simonw/datasette/issues/1360
- github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
- nvd.nist.gov/vuln/detail/CVE-2021-32670
- owasp.org/www-community/attacks/xss/
- pypi.org/project/datasette
Detect and mitigate CVE-2021-32670 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →