CVE-2021-32670 HIGH

CVE-2021-32670: Reflected cross-site scripting issue in Datasette

Vendor Simonw
Product datasette
Weakness CWE-79 · XSS
Published June 7, 2021
Last update August 3, 2024
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.

Key dates

02Disclosure timeline

June 7, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-48489 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2025-8214 The Pack Elementor addon <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typing Letter Widget CVE-2025-64563 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2023-49747 WordPress Guest Author Plugin <= 2.3 is vulnerable to Cross Site Scripting (XSS) CVE-2024-23879 Cross-Site Scripting (XSS) vulnerability in Cups Easy