{"id":"GHSA-pcfx-g2j2-f6f6","summary":"Docassemble HTML and javascript injection","details":"### Impact\nA user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain `\u003cscript\u003e` tags allowing JavaScript to execute on the page.\n\n### Patches\nThe vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.\n\n### Workarounds\nIf upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen).\n\n### Credit\n\nThe vulnerability was discovered by Riyush Ghimire (@richighimi).\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues)\n* Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-2cspzjo9j-YyE7SrLmi5muAvnPv~Bz~A)\n* Email us at jhpyle@gmail.com","aliases":["CVE-2024-27290"],"modified":"2024-03-21T18:31:05.509250Z","published":"2024-02-29T22:14:49Z","related":["CVE-2024-27290"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2024-03-21T02:52:19Z","github_reviewed_at":"2024-02-29T22:14:49Z","github_reviewed":true,"cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/jhpyle/docassemble/security/advisories/GHSA-pcfx-g2j2-f6f6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27290"},{"type":"WEB","url":"https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa"},{"type":"PACKAGE","url":"https://github.com/jhpyle/docassemble"}],"affected":[{"package":{"name":"docassemble-webapp","ecosystem":"PyPI","purl":"pkg:pypi/docassemble-webapp"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.97"}]}],"versions":["0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.18","0.3.19","0.3.2","0.3.20","0.3.21","0.3.22","0.3.23","0.3.24","0.3.25","0.3.26","0.3.27","0.3.28","0.3.29","0.3.3","0.3.30","0.3.31","0.3.32","0.3.33","0.3.34","0.3.35","0.3.36","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.1","0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.4.15","0.4.16","0.4.17","0.4.18","0.4.19","0.4.2","0.4.20","0.4.21","0.4.22","0.4.23","0.4.24","0.4.25","0.4.26","0.4.27","0.4.28","0.4.29","0.4.3","0.4.30","0.4.31","0.4.32","0.4.33","0.4.34","0.4.35","0.4.36","0.4.37","0.4.38","0.4.39","0.4.4","0.4.40","0.4.41","0.4.42","0.4.43","0.4.44","0.4.45","0.4.46","0.4.47","0.4.48","0.4.49","0.4.5","0.4.50","0.4.51","0.4.52","0.4.53","0.4.54","0.4.55","0.4.56","0.4.57","0.4.58","0.4.59","0.4.6","0.4.60","0.4.61","0.4.62","0.4.63","0.4.64","0.4.65","0.4.66","0.4.67","0.4.68","0.4.69","0.4.7","0.4.70","0.4.71","0.4.72","0.4.73","0.4.74","0.4.75","0.4.76","0.4.77","0.4.78","0.4.79","0.4.8","0.4.80","0.4.9","0.5.0","0.5.1","0.5.10","0.5.100","0.5.101","0.5.102","0.5.103","0.5.104","0.5.105","0.5.106","0.5.107","0.5.108","0.5.109","0.5.11","0.5.110","0.5.111","0.5.12","0.5.13","0.5.14","0.5.15","0.5.16","0.5.17","0.5.18","0.5.19","0.5.2","0.5.20","0.5.21","0.5.22","0.5.23","0.5.24","0.5.25","0.5.26","0.5.27","0.5.28","0.5.29","0.5.3","0.5.30","0.5.31","0.5.32","0.5.33","0.5.34","0.5.35","0.5.36","0.5.37","0.5.38","0.5.39","0.5.4","0.5.40","0.5.41","0.5.42","0.5.43","0.5.44","0.5.45","0.5.46","0.5.47","0.5.48","0.5.49","0.5.5","0.5.50","0.5.51","0.5.52","0.5.53","0.5.54","0.5.55","0.5.56","0.5.57","0.5.58","0.5.59","0.5.6","0.5.60","0.5.61","0.5.62","0.5.63","0.5.64","0.5.65","0.5.66","0.5.67","0.5.68","0.5.69","0.5.7","0.5.70","0.5.71","0.5.72","0.5.73","0.5.74","0.5.75","0.5.76","0.5.77","0.5.78","0.5.79","0.5.8","0.5.80","0.5.81","0.5.82","0.5.83","0.5.84","0.5.85","0.5.86","0.5.87","0.5.88","0.5.89","0.5.9","0.5.90","0.5.91","0.5.92","0.5.93","0.5.94","0.5.95","0.5.96","0.5.97","0.5.98","0.5.99","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.1","1.1.10","1.1.100","1.1.101","1.1.102","1.1.103","1.1.104","1.1.105","1.1.106","1.1.107","1.1.108","1.1.109","1.1.11","1.1.110","1.1.111","1.1.112","1.1.113","1.1.12","1.1.13","1.1.14","1.1.15","1.1.16","1.1.17","1.1.18","1.1.19","1.1.2","1.1.20","1.1.21","1.1.22","1.1.23","1.1.24","1.1.25","1.1.26","1.1.27","1.1.28","1.1.29","1.1.3","1.1.30","1.1.31","1.1.32","1.1.33","1.1.34","1.1.35","1.1.36","1.1.37","1.1.38","1.1.39","1.1.4","1.1.40","1.1.41","1.1.42","1.1.43","1.1.44","1.1.45","1.1.46","1.1.47","1.1.48","1.1.49","1.1.5","1.1.50","1.1.51","1.1.52","1.1.53","1.1.54","1.1.55","1.1.56","1.1.57","1.1.58","1.1.59","1.1.6","1.1.60","1.1.61","1.1.62","1.1.63","1.1.64","1.1.65","1.1.66","1.1.67","1.1.68","1.1.69","1.1.7","1.1.70","1.1.71","1.1.72","1.1.73","1.1.74","1.1.75","1.1.76","1.1.77","1.1.78","1.1.79","1.1.8","1.1.80","1.1.81","1.1.82","1.1.83","1.1.84","1.1.85","1.1.86","1.1.87","1.1.88","1.1.89","1.1.9","1.1.90","1.1.91","1.1.92","1.1.93","1.1.94","1.1.95","1.1.96","1.1.97","1.1.98","1.1.99","1.2.0","1.2.1","1.2.10","1.2.100","1.2.101","1.2.102","1.2.103","1.2.104","1.2.105","1.2.106","1.2.107","1.2.108","1.2.109","1.2.11","1.2.12","1.2.13","1.2.14","1.2.15","1.2.16","1.2.17","1.2.18","1.2.19","1.2.2","1.2.20","1.2.21","1.2.22","1.2.23","1.2.24","1.2.25","1.2.26","1.2.27","1.2.28","1.2.29","1.2.3","1.2.30","1.2.31","1.2.32","1.2.33","1.2.34","1.2.35","1.2.36","1.2.37","1.2.38","1.2.39","1.2.4","1.2.40","1.2.41","1.2.42","1.2.43","1.2.44","1.2.45","1.2.46","1.2.47","1.2.48","1.2.49","1.2.5","1.2.50","1.2.51","1.2.52","1.2.53","1.2.54","1.2.55","1.2.56","1.2.57","1.2.58","1.2.59","1.2.6","1.2.60","1.2.61","1.2.62","1.2.63","1.2.64","1.2.65","1.2.66","1.2.67","1.2.68","1.2.69","1.2.7","1.2.70","1.2.71","1.2.72","1.2.73","1.2.74","1.2.75","1.2.76","1.2.77","1.2.78","1.2.79","1.2.8","1.2.80","1.2.81","1.2.82","1.2.83","1.2.84","1.2.85","1.2.86","1.2.87","1.2.88","1.2.89","1.2.9","1.2.90","1.2.91","1.2.92","1.2.93","1.2.94","1.2.95","1.2.96","1.2.97","1.2.98","1.2.99","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.14","1.3.15","1.3.16","1.3.17","1.3.18","1.3.19","1.3.2","1.3.20","1.3.21","1.3.22","1.3.23","1.3.24","1.3.25","1.3.26","1.3.27","1.3.28","1.3.29","1.3.3","1.3.30","1.3.31","1.3.32","1.3.33","1.3.34","1.3.35","1.3.36","1.3.37","1.3.38","1.3.39","1.3.4","1.3.40","1.3.41","1.3.42","1.3.43","1.3.44","1.3.45","1.3.46","1.3.47","1.3.48","1.3.49","1.3.5","1.3.50","1.3.51","1.3.52","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.18","1.4.19","1.4.2","1.4.20","1.4.21","1.4.22","1.4.23","1.4.24","1.4.25","1.4.26","1.4.27","1.4.28","1.4.29","1.4.3","1.4.30","1.4.31","1.4.32","1.4.33","1.4.34","1.4.35","1.4.36","1.4.37","1.4.38","1.4.39","1.4.4","1.4.40","1.4.41","1.4.42","1.4.43","1.4.44","1.4.45","1.4.46","1.4.47","1.4.48","1.4.49","1.4.5","1.4.50","1.4.51","1.4.52","1.4.53","1.4.54","1.4.55","1.4.56","1.4.57","1.4.58","1.4.59","1.4.6","1.4.60","1.4.61","1.4.62","1.4.63","1.4.64","1.4.65","1.4.66","1.4.67","1.4.68","1.4.69","1.4.7","1.4.70","1.4.71","1.4.72","1.4.73","1.4.74","1.4.75","1.4.76","1.4.77","1.4.78","1.4.79","1.4.8","1.4.80","1.4.81","1.4.82","1.4.83","1.4.84","1.4.85","1.4.86","1.4.87","1.4.88","1.4.89","1.4.9","1.4.90","1.4.91","1.4.92","1.4.93","1.4.94","1.4.95","1.4.96"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-pcfx-g2j2-f6f6/GHSA-pcfx-g2j2-f6f6.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}