52 matches found
PYSEC-2021-89
Datasette is an open source multi-tool for exploring and publishing data. The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation...
Reflected cross-site scripting issue in Datasette
Impact The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as...
GHSA-XW7C-JX9M-XH5G Reflected cross-site scripting issue in Datasette
Impact The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as...
CVE-2021-32670
Datasette contains a reflected cross-site scripting vulnerability in the ?_trace=1 debugging feature due to inadequate HTML escaping. Affected versions include 0.56.1 and 0.57; patches are available in those releases. Workarounds include rejecting requests with ?_trace= or &_trace= in the query s...
CVE-2021-32670 Reflected cross-site scripting issue in Datasette
Datasette is an open source multi-tool for exploring and publishing data. The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation...
Datasette 跨站脚本漏洞
Datasette is an open source multifunctional tool used by applications to explore and publish data. A cross-site scripting vulnerability exists in Datasette 0.57 and 0.56.1 that ? trace=1 input validation error. No detailed vulnerability details are provided at this time...
Information Disclosure
datasette-graphql is vulnerable to information disclosure. The vulnerability exists as it does not perform permission checks, allowing private database schema to be revealed...
datasette-graphql leaks details of the schema of private database files
Impact When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents. Patches Patched in version 1.2. Workarounds This issue is only present if a Datasette instance that includes private databases...
GHSA-74HV-QJJQ-H7G5 datasette-graphql leaks details of the schema of private database files
Impact When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents. Patches Patched in version 1.2. Workarounds This issue is only present if a Datasette instance that includes private databases...
Information Disclosure
datasette is vulnerable to information disclosure. The vulnerability exists as Cross-Site Request Forgery CRSF tokens are leaked through read-only canned queries...
CSRF tokens leaked in URL by canned query form
Impact The HTML form for a read-only canned query includes the hidden CSRF token field added in 798 for writable canned queries 698. This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhoodsearch submitti...
GHSA-Q6J3-C4WC-63VW CSRF tokens leaked in URL by canned query form
Impact The HTML form for a read-only canned query includes the hidden CSRF token field added in 798 for writable canned queries 698. This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhoodsearch submitti...