Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-site scripting (XSS) vulnerability CVE-2024-37063 #1599

Closed
3 tasks done
hakan-77 opened this issue Jun 5, 2024 · 3 comments · Fixed by #1603 · May be fixed by #1604
Closed
3 tasks done

Cross-site scripting (XSS) vulnerability CVE-2024-37063 #1599

hakan-77 opened this issue Jun 5, 2024 · 3 comments · Fixed by #1603 · May be fixed by #1604
Labels
security 👮 Vulerabilities in the codebase

Comments

@hakan-77
Copy link

hakan-77 commented Jun 5, 2024

Current Behaviour

GHSA-2r57-2mrh-ggjv

A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the browser.
References

https://nvd.nist.gov/vuln/detail/CVE-2024-37063
https://hiddenlayer.com/sai-security-advisory/ydata-june2024

Expected Behaviour

Secured

Data Description

N/A

Code that reproduces the bug

No response

pandas-profiling version

= 3.7.0, <= 4.8.3

Dependencies

N/A

OS

All OSes

Checklist

  • There is not yet another bug report for this issue in the issue tracker
  • The problem is reproducible from this bug report. This guide can help to craft a minimal bug report.
  • The issue has not been resolved by the entries listed under Common Issues.
graingert-coef added a commit to graingert-coef/ydata-profiling that referenced this issue Jun 11, 2024
@graingert-coef
enable jinja2 autoescape
3ea9c8d 
Fixes ydataai#1599
@graingert-coef graingert-coef mentioned this issue Jun 11, 2024
Draft
@fabclmnt fabclmnt linked a pull request Jun 20, 2024 that will close this issue
fix: jquery & bootstrap versions upgrade to fix vulnerables (jquery vulns related to xss and bootstrap vulns related to CVE & Sonatype) #1603
Merged
fabclmnt pushed a commit to graingert-coef/ydata-profiling that referenced this issue Jul 8, 2024
@graingert-coef @fabclmnt
enable jinja2 autoescape
3578803 
Fixes ydataai#1599
@fabclmnt fabclmnt reopened this Jul 10, 2024
@fabclmnt fabclmnt mentioned this issue Jul 10, 2024
Closed
3 tasks
@fabclmnt fabclmnt added security 👮 Vulerabilities in the codebase and removed needs-triage labels Jul 10, 2024
@fabclmnt
Copy link
Contributor

Solved with PR #1626

Available with release 4.9.0

@jjshinobi
Copy link

jjshinobi commented Jan 9, 2025
edited
Loading

@fabclmnt can you please explain how it fixes the problem mentioned in https://hiddenlayer.com/sai-security-advisory/ydata-june2024 ? This PR #1604 seems like a fix. For reference from the article:

In src/ydata_profiling/report/presentation/flavours/html/templates.py the Jinja2 template is initialized without setting autoescape to true allowing for a maliciously crafted dataset to perform an XSS attack when an HTML report is generated.

@olliestanley
Copy link

olliestanley commented Jan 15, 2025
edited
Loading

@jjshinobi @fabclmnt I can confirm this vulnerability is still present in version 4.9.0 since the PR #1626 was merged

Can this issue be reopened?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security 👮 Vulerabilities in the codebase
Projects
None yet
Milestone
No milestone
5 participants
@olliestanley @jjshinobi @fabclmnt @hakan-77 @azory-ydata