Skip to content

Reflected cross-site scripting issue in Datasette

High
simonw published GHSA-xw7c-jx9m-xh5g Jun 5, 2021

Package

pip datasette (pip)

Affected versions

<0.56.1

Patched versions

0.56.1,0.57

Description

Impact

The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability.

This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.

Patches

Datasette 0.57 and 0.56.1 both include patches for this issue.

Workarounds

If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace= or &_trace= in their query string parameters.

References

For more information

If you have any questions or comments about this advisory:

  • Open a discussion in simonw/datasette
  • Email us at swillison+datasette @ gmail.com

Severity

High

CVE ID

CVE-2021-32670

Weaknesses