Skip to content

Cross-Site Scripting (XSS) vulnerability in JSON, Markdown and iPython Notebook previewers

lnielsen published GHSA-j9m2-6hq2-4r3c Jul 15, 2019

lnielsen published Jul 15, 2019

moderate severity
Affected versions: <1.0.0a12
Patched versions: 1.0.0a12
Package: invenio-previewer
Package ecosystem: PyPI


Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.


Invenio-Previewer v1.0.0a12 fixes the issue.


You can remediate the vulnerability without upgrading by disabling the affected previewers. You do this by adding the following to your configuration:

    # 'json_prismjs',
    # 'mistune',
    # 'ipynb',

Afterwards, you should not be able to preview JSON, Markdown or iPython Notebook files.

For more information

If you have any questions or comments about this advisory:

You can’t perform that action at this time.