Reflected cross-site scripting issue in Datasette
High severity
GitHub Reviewed
Published
Jun 10, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Jun 7, 2021
Reviewed
Jun 9, 2021
Published to the GitHub Advisory Database
Jun 10, 2021
Last updated
Feb 1, 2023
Datasette is an open source multi-tool for exploring and publishing data. The
?_trace=1
debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with?_trace=
or&_trace=
in their query string parameters.References