GHSA-r3jc-vhf4-6v32: CKAN has Cross-site Scripting vector in the Datatables view plugin

Skip to content

Navigation Menu

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • GitHub Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• Explore

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-41675

CKAN has Cross-site Scripting vector in the Datatables view plugin

Moderate severity GitHub Reviewed Published Aug 21, 2024 in ckan/ckan • Updated Aug 21, 2024

Affected versions

>= 2.7.0, < 2.10.5

Description

The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector.

Impact

Sites running CKAN >= 2.7.0 with the datatables_view plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to preview tabular data.

Patches

This vulnerability has been fixed in CKAN 2.10.5 and 2.11.0

Workarounds

Prevent importing of tabular files to the DataStore via DataPusher, XLoader,etc, at least those published from untrusted sources.

References

• GHSA-r3jc-vhf4-6v32
• https://nvd.nist.gov/vuln/detail/CVE-2024-41675
• ckan/ckan@9e89ce8
• ckan/ckan@d7dfe8c

Published to the GitHub Advisory Database

Aug 21, 2024

Last updated

Aug 21, 2024