Skip to content

Cross-Site Scripting (XSS) vulnerability in administration interface

lnielsen published GHSA-vxh3-mvv7-265j Jul 15, 2019

lnielsen published Jul 15, 2019

moderate severity
Affected versions: <1.0.1, 1.1.0, 1.2.0, 1.2.1
Patched versions: 1.0.2, 1.1.1, 1.2.2
Package: invenio-records
Package ecosystem: PyPI


A Cross-Site Scripting (XSS) vulnerability was discovered when rendering JSON for a record in the administration interface. The vulnerability could be exploited by e.g. a user who had access to upload a new record, that an admin user would then later view in the admin interface.


All supported versions of Invenio-Records have been patched. You should upgrade to either v1.0.1, v1.1.1 or v1.2.2

For more information

If you have any questions or comments about this advisory:

You can’t perform that action at this time.