Lucene search
GoogleOSV:GHSA-J9M2-6HQ2-4R3CHistoryJul 16, 2019 - 12:52 a.m.
Cross-site Scripting in invenio-previewer
2019-07-1600:52:22
Google
osv.dev
3
0.001 Low
EPSS
Percentile
37.3%
Cross-Site Scripting (XSS) vulnerability in JSON, Markdown and iPython Notebook previewers
Impact
Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.
Patches
Invenio-Previewer v1.0.0a12 fixes the issue.
Workarounds
You can remediate the vulnerability without upgrading by disabling the affected previewers. You do this by adding the following to your configuration:
PREVIEWER_PREFERENCE = [
'csv_dthreejs',
'simple_image',
# 'json_prismjs',
'xml_prismjs',
# 'mistune',
'pdfjs',
# 'ipynb',
'zip',
]
Afterwards, you should not be able to preview JSON, Markdown or iPython Notebook files.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Related
cvelist
cvelist
CVE-2019-1020019
2019-07-29 13:16:32
veracode
veracode
Cross-site Scripting (XSS)
2019-07-30 03:23:28
osv
osv
CVE-2019-1020019
2019-07-29 14:15:11
PYSEC-2019-26
2019-07-29 14:15:00
cve
cve
CVE-2019-1020019
2019-07-29 14:15:11
prion
prion
Cross site scripting
2019-07-29 14:15:00
nvd
nvd
CVE-2019-1020019
2019-07-29 14:15:11
github
github
Cross-site Scripting in invenio-previewer
2019-07-16 00:52:22