Information Exposure Affecting datasette package, versions [,0.46)
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DATASETTE-598229
- published 12 Aug 2020
- disclosed 11 Aug 2020
- credit Unknown
How to fix?
Upgrade datasette
to version 0.46 or higher.
Overview
datasette is an An open source multi-tool for exploring and publishing data
Affected versions of this package are vulnerable to Information Exposure. The HTML form for a read-only canned query includes the hidden CSRF token field for writable canned queries. Submitting those read-only forms exposes the CSRF token in the URL - for example: https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE
. This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.