Vulnerability Details : CVE-2021-32670
Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.
Vulnerability category: Cross site scripting (XSS)
Exploit prediction scoring system (EPSS) score for CVE-2021-32670
Probability of exploitation activity in the next 30 days: 0.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 39 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-32670
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
3.9
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2021-32670
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-32670
-
https://pypi.org/project/datasette/
datasette · PyPIRelease Notes;Third Party Advisory
-
https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks
Cross Site Scripting (XSS) Software Attack | OWASP FoundationThird Party Advisory
-
https://github.com/simonw/datasette/issues/1360
Security flaw, to be fixed in 0.56.1 and 0.57 · Issue #1360 · simonw/datasette · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g
Reflected cross-site scripting issue in Datasette · Advisory · simonw/datasette · GitHubThird Party Advisory
-
https://datasette.io/plugins/datasette-auth-passwords
datasette-auth-passwords - a plugin for DatasetteVendor Advisory
Products affected by CVE-2021-32670
- cpe:2.3:a:datasette:datasette:*:*:*:*:*:*:*:*