Reflected cross-site scripting issue in Datasette

Datasette is an open source multi-tool for exploring and publishing data. The ?_trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with ?_trace= or &_trace= in their query string parameters.

References

Published by the National Vulnerability Database Jun 7, 2021

Reviewed Jun 9, 2021

Published to the GitHub Advisory Database Jun 10, 2021

Last updated Feb 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code