{"id":"PYSEC-2024-273","details":"Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["CVE-2024-42346","GHSA-x6w7-3gwf-qr9r","PYSEC-2024-272"],"modified":"2026-05-20T09:19:00.901252Z","published":"2024-09-20T19:15:15.547Z","references":[{"type":"FIX","url":"https://github.com/galaxyproject/galaxy/security/advisories/GHSA-x6w7-3gwf-qr9r"}],"affected":[{"package":{"name":"galaxy-data","ecosystem":"PyPI","purl":"pkg:pypi/galaxy-data"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"24.1.1"}]}],"versions":["19.9.0.dev0","19.9.0.dev1","19.9.0.dev2","19.9.0.dev3","20.5.0","20.9.0","20.9.1","21.9.0","22.1.1","23.0.1","23.0.2","23.0.3","23.0.4","23.0.5","23.0.6","23.1.1","23.1.2","23.1.3","23.1.4","23.1.dev0","23.2.1","24.0.0","24.0.1","24.0.2","24.0.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/galaxy-data/PYSEC-2024-273.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}