archivebox 0.9.30rc84

Direct Vulnerabilities

Known vulnerabilities in the archivebox package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Arbitrary Argument Injection archivebox is a The self-hosted internet archive. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the `AddView` class. An attacker can execute arbitrary code on the server by submitting specially crafted configuration overrides to the `/add/` endpoint, which are merged without validation and exported as environment variables to downstream plugins. Note: This is only exploitable if the `PUBLIC_ADD_VIEW` setting is enabled, allowing unauthenticated access to the endpoint. How to fix Arbitrary Argument Injection? Upgrade `archivebox` to version 0.9.31rc1 or higher.	[0,0.9.31rc1)
M Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') archivebox is a The self-hosted internet archive. Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to the `wget` extractor. An attacker can potentially act using your logged-in admin credentials and `add/remove/modify` snapshots and `ArchiveBox` users, and generally do anything an admin user could do by viewing an archived malicious page designed to target your ArchiveBox instance. Note: This is only exploitable if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page. How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')? Upgrade `archivebox` to version 0.9.31rc1 or higher.	[0,0.9.31rc1)

Vulnerability

Vulnerable Version

Arbitrary Argument Injection

archivebox is a The self-hosted internet archive.

Affected versions of this package are vulnerable to Arbitrary Argument Injection via the AddView class. An attacker can execute arbitrary code on the server by submitting specially crafted configuration overrides to the /add/ endpoint, which are merged without validation and exported as environment variables to downstream plugins.

Note: This is only exploitable if the PUBLIC_ADD_VIEW setting is enabled, allowing unauthenticated access to the endpoint.

How to fix Arbitrary Argument Injection?

Upgrade archivebox to version 0.9.31rc1 or higher.

[0,0.9.31rc1)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

archivebox is a The self-hosted internet archive.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') due to the wget extractor. An attacker can potentially act using your logged-in admin credentials and add/remove/modify snapshots and ArchiveBox users, and generally do anything an admin user could do by viewing an archived malicious page designed to target your ArchiveBox instance.

Note: This is only exploitable if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page.

How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?

Upgrade archivebox to version 0.9.31rc1 or higher.

[0,0.9.31rc1)

archivebox@0.9.30rc84

Self-hosted internet archiving solution.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically