GHSA-947x-pv47-pp3q

Source

https://github.com/advisories/GHSA-947x-pv47-pp3q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-947x-pv47-pp3q/GHSA-947x-pv47-pp3q.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-947x-pv47-pp3q

Aliases

Published

2021-09-02T17:16:18Z

Modified

2024-10-25T21:17:34.307966Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Cross-site scripting in pywb

Details

Webrecorder pywb before 2.6.0 allows XSS because it does not ensure that Jinja2 templates are autoescaped.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2021-08-18T18:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2021-08-26T15:00:34Z",
    "severity": "MODERATE"
}

References

Affected packages

PyPI / pywb

Package

Name: pywb; View open source insights on deps.dev
Purl: pkg:pypi/pywb

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.0

Affected versions

0.*

0.2.0

0.2.2

0.3.0

0.4.0

0.4.5

0.4.7

0.5.0

0.5.1

0.5.3

0.5.4

0.6.0

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.7.0

0.7.1

0.7.2

0.7.5

0.7.6

0.7.7

0.7.8

0.8.0

0.8.1

0.8.2

0.8.3

0.9.0b1

0.9.0

0.9.1

0.9.2

0.9.3

0.9.5

0.9.6

0.9.7

0.9.8

0.10.0

0.10.1

0.10.2

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.9.1

0.10.10

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.30.0

0.30.1

0.31.0

0.32.0

0.32.1

0.33.0

0.33.1

0.33.2

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.2.20190227

2.2.20190311

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.5.0

2.6.0b0

2.6.0b1

2.6.0b2

2.6.0b3

2.6.0b4