GHSA-8c6x-g4fw-8rf4: Whatsapp-Chat-Exporter has Cross-Site Scripting vulnerability in HTML output of chats.

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-8c6x-g4fw-8rf4

Whatsapp-Chat-Exporter has Cross-Site Scripting vulnerability in HTML output of chats.

Package

pip Whatsapp-Chat-Exporter (pip)

Affected versions

< 0.9.5

Description

Impact

A Cross-Site Scripting (XSS) vulnerability was found in the HTML output of chats. XSS is intended to be mitigated by Jinja’s escape function. However, autoescape=True was missing when setting the environment. Although the actual impact is low, considering the HTML file is being viewed offline, an adversary may still be able to inject malicious payloads into the chat through WhatsApp. All users are affected.

Patches

The vulnerability is patched in 0.9.5. All users are strongly advised to update the exporter to the latest version.

Workarounds

No workaround is available. Please update the exporter to the latest version.

References

KnugiHK/WhatsApp-Chat-Exporter@bfdc68c
https://owasp.org/www-community/attacks/xss/

References

• GHSA-8c6x-g4fw-8rf4
• KnugiHK/WhatsApp-Chat-Exporter@bfdc68c

Published to the GitHub Advisory Database

Jul 10, 2023