Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.
Invenio-Previewer v1.0.0a12 fixes the issue.
You can remediate the vulnerability without upgrading by disabling the affected previewers. You do this by adding the following to your configuration:
PREVIEWER_PREFERENCE = [
Afterwards, you should not be able to preview JSON, Markdown or iPython Notebook files.
If you have any questions or comments about this advisory: