archivy@0.6.2 vulnerabilities

Minimalist knowledge base focused on digital preservation and building your second brain.

  • latest version

    1.7.7

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the archivy package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Directory Traversal

    archivy is a Minimalist knowledge base focused on digital preservation and building your second brain.

    Affected versions of this package are vulnerable to Directory Traversal due to improper path sanitization.

    How to fix Directory Traversal?

    Upgrade archivy to version 1.0.1 or higher.

    [,1.0.1)
    • H
    Directory Traversal

    archivy is a Minimalist knowledge base focused on digital preservation and building your second brain.

    Affected versions of this package are vulnerable to Directory Traversal via the create function in data.py.

    How to fix Directory Traversal?

    Upgrade archivy to version 1.7.2 or higher.

    [,1.7.2)
    • L
    Open Redirect

    archivy is a Minimalist knowledge base focused on digital preservation and building your second brain.

    Affected versions of this package are vulnerable to Open Redirect via the /login endpoint, using the next parameter.

    How to fix Open Redirect?

    Upgrade archivy to version 1.7.0 or higher.

    [,1.7.0)
    • M
    Cross-site Request Forgery (CSRF)

    archivy is a Minimalist knowledge base focused on digital preservation and building your second brain.

    Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF token validation in /dataobj/delete/<int:dataobj_id>, which makes it possible to accept "GET" and "DELETE" methods instead of "POST" method.

    POC:

    1. Create any note, get it's ID.
    2. Run page from PoC.html with concrete ID in your browser, click the button.
    3. Observe that the note with specified ID was deleted.
    // PoC.html
    
    <form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
    <input type="submit" value="Click me"/>
    </form>
    

    How to fix Cross-site Request Forgery (CSRF)?

    Upgrade archivy to version 1.6.2 or higher.

    [,1.6.2)