GHSA-q6j3-c4wc-63vw – datasette

Package

Manager: pip
Name: datasette
Vulnerable Version: >=0 <0.46

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

CSRF tokens leaked in URL by canned query form ### Impact The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698). This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to: https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs. ### Patches A fix for this issue has been released in Datasette 0.46. ### Workarounds You can fix this issue in a Datasette instance without upgrading by copying the [0.46 query.html template](https://raw.githubusercontent.com/simonw/datasette/0.46/datasette/templates/query.html) into a custom `templates/` directory and running Datasette with the `--template-dir=templates/` option. ### References Issue 918 discusses this in details: https://github.com/simonw/datasette/issues/918 ### For more information Contact swillison at gmail with any questions.

Metadata

Created: 2020-08-11T14:54:40Z
Modified: 2021-09-23T18:50:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-q6j3-c4wc-63vw/GHSA-q6j3-c4wc-63vw.json
CWE IDs: ["CWE-200"]
Alternative ID: N/A
Finding: F017
Auto approve: 1