CVE-2021-32670
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-32670
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32670.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-32670
- Aliases
- Published
- 2021-06-07T22:15:07Z
- Modified
- 2024-10-12T07:34:41.787616Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Datasette is an open source multi-tool for exploring and publishing data. The
?_trace=1debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with?_trace=or&_trace=in their query string parameters. - References
Affected packages
Git / github.com/simonw/datasette
Affected ranges
- Type
- GIT
- Repo
- https://github.com/simonw/datasette
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.22.1
0.23
0.23.1
0.23.2
0.24
0.25
0.25.1
0.25.2
0.26
0.26.1
0.26.2
0.27
0.28
0.29
0.29.1
0.29.2
0.29.3
0.30
0.30.1
0.30.2
0.31
0.31.1
0.31.2
0.32
0.33
0.34
0.35
0.36
0.37
0.37.1
0.38
0.39
0.40
0.41
0.42
0.43
0.44
0.45
0.45a0
0.45a1
0.45a2
0.45a3
0.45a4
0.45a5
0.46
0.47
0.47.1
0.47.2
0.47.3
0.48
0.49
0.49.1
0.49a0
0.49a1
0.50
0.50.1
0.50.2
0.50a0
0.50a1
0.51
0.51.1
0.51a0
0.51a1
0.51a2
0.52
0.52.1
0.52.2
0.52.3
0.52.4
0.53
0.54
0.54a0
0.55
0.56
0.7
0.8
0.9