datasette@0.40 vulnerabilities

datasette is an An open source multi-tool for exploring and publishing data

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). There was a security hole with the ?_trace=1 feature as it did not correctly escape generated HTML.

This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as datasette-auth-passwords as an attacker could use the vulnerability to access protected data.

Upgrade datasette to version 0.56.1 or higher.

datasette is an An open source multi-tool for exploring and publishing data

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ?_trace= debugging feature which does not correctly escape generated HTML.

Upgrade datasette to version 0.56.1, 0.57 or higher.

datasette is an An open source multi-tool for exploring and publishing data

Affected versions of this package are vulnerable to Information Exposure. The HTML form for a read-only canned query includes the hidden CSRF token field for writable canned queries. Submitting those read-only forms exposes the CSRF token in the URL - for example: https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE. This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

Upgrade datasette to version 0.46 or higher.