GHSA-8c6x-g4fw-8rf4 – whatsapp-chat-exporter

Package

Manager: pip
Name: whatsapp-chat-exporter
Vulnerable Version: >=0 <0.9.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Whatsapp-Chat-Exporter has Cross-Site Scripting vulnerability in HTML output of chats. ### Impact A Cross-Site Scripting (XSS) vulnerability was found in the HTML output of chats. XSS is intended to be mitigated by Jinja's escape function. However, `autoescape=True` was missing when setting the environment. Although the actual impact is low, considering the HTML file is being viewed offline, an adversary may still be able to inject malicious payloads into the chat through WhatsApp. All users are affected. ### Patches The vulnerability is patched in 0.9.5. All users are strongly advised to update the exporter to the latest version. ### Workarounds No workaround is available. Please update the exporter to the latest version. ### References https://github.com/KnugiHK/WhatsApp-Chat-Exporter/commit/bfdc68cd6ad53ceecf132773f9aaba50dd80fe79 https://owasp.org/www-community/attacks/xss/

Metadata

Created: 2023-07-10T21:54:36Z
Modified: 2023-07-10T21:54:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-8c6x-g4fw-8rf4/GHSA-8c6x-g4fw-8rf4.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F425
Auto approve: 1