Reflected cross-site scripting issue in Datasette

2021-06-0721:47:41

Google

osv.dev

0.001 Low

EPSS

Percentile

40.2%

JSON

Impact

The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability.

This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.

Patches

Datasette 0.57 and 0.56.1 both include patches for this issue.

Workarounds

If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace= or &_trace= in their query string parameters.

References

For more information

If you have any questions or comments about this advisory:

Open a discussion in simonw/datasette
Email us at swillison+datasette @ gmail.com

CPENameOperatorVersion
datasetteeq0.52.2
datasetteeq0.19
datasetteeq0.48
datasetteeq0.30.2
datasetteeq0.15
datasetteeq0.9
datasetteeq0.52
datasetteeq0.49.1
datasetteeq0.18
datasetteeq0.28

Name	Operator	Version
datasette	eq	0.52.2
datasette	eq	0.19
datasette	eq	0.48
datasette	eq	0.30.2
datasette	eq	0.15
datasette	eq	0.9
datasette	eq	0.52
datasette	eq	0.49.1
datasette	eq	0.18
datasette	eq	0.28