This repository has been archived by the owner on Dec 21, 2022. It is now read-only.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and Improper Encoding or Escaping of Output in server.py
Package
server.py
(Flask)
Affected versions
>private.debug.3
Patched versions
None
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is a XSS and Improper Encoding vulnerability. AFAIK, only servers are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
No patches have been released yet.As of commit 24f43aa, the issue has been fixed. No official releases are affected. Commits 7f9dd66, b39ad02, 96cc9f2, 4d0f88b, c29b3c8, 953fd83, 355a474, and 54b02d9 are all still vulnerable.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually add escaping to the server and client, or upgrade to commit 24f43aa.
For more information
If you have any questions or comments about this advisory: