{"id":"GHSA-gff3-739c-gxfq","summary":"Duplicate Advisory: Reflected cross-site scripting issue in Datasette","details":"## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-xw7c-jx9m-xh5g. This link is maintained to preserve external references.\n\n## Original Description\nDatasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.","aliases":["CVE-2021-32670","GHSA-xw7c-jx9m-xh5g","PYSEC-2021-89"],"modified":"2024-12-06T05:29:04.349658Z","published":"2021-06-10T17:22:59Z","withdrawn":"2024-09-16T15:02:24Z","database_specific":{"severity":"HIGH","nvd_published_at":"2021-06-07T22:15:00Z","cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2021-06-09T20:39:24Z"},"references":[{"type":"WEB","url":"https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32670"},{"type":"WEB","url":"https://github.com/simonw/datasette/issues/1360"},{"type":"WEB","url":"https://datasette.io/plugins/datasette-auth-passwords"},{"type":"WEB","url":"https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks"},{"type":"WEB","url":"https://pypi.org/project/datasette"}],"affected":[{"package":{"name":"datasette","ecosystem":"PyPI","purl":"pkg:pypi/datasette"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.56.1"}]}],"versions":["0.10","0.11","0.12","0.13","0.14","0.15","0.16","0.17","0.18","0.19","0.20","0.21","0.22","0.22.1","0.23","0.23.1","0.23.2","0.24","0.25","0.25.1","0.25.2","0.26","0.26.1","0.26.2","0.27","0.27.1","0.28","0.29","0.29.1","0.29.2","0.29.3","0.30","0.30.1","0.30.2","0.31","0.31.1","0.31.2","0.32","0.33","0.34","0.35","0.36","0.37","0.37.1","0.38","0.39","0.40","0.41","0.42","0.43","0.44","0.45","0.45a0","0.45a1","0.45a2","0.45a3","0.45a4","0.45a5","0.46","0.47","0.47.1","0.47.2","0.47.3","0.48","0.49","0.49.1","0.49a0","0.49a1","0.50","0.50.1","0.50.2","0.50a0","0.50a1","0.51","0.51.1","0.51a0","0.51a1","0.51a2","0.52","0.52.1","0.52.2","0.52.3","0.52.4","0.52.5","0.53","0.54","0.54.1","0.54a0","0.55","0.56","0.8","0.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-gff3-739c-gxfq/GHSA-gff3-739c-gxfq.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}