invenio-previewer is vulnerable to cross-site scripting (XSS). It does not escape the user-uploaded file and directly render the file in the JSON, Markdown and iPython Notebook previewers, allowing an attacker to inject arbitrary Javascript into a victim’s browser using a malicious file.
CPE | Name | Operator | Version |
---|---|---|---|
invenio-previewer | eq | 0.1.0 | |
invenio-previewer | le | 1.0.0a11 |