CVE-2023-31584 - Cross Site Scripting vulnerability in cu/silicon
Github link: https://github.com/cu/silicon
Version Affected: 1
Severity and CVSS: Will update when review is done by NIST.
Type: Cross Site Scripting
Root Cause: Lack of proper input validation and sanitization before inserting user-provided data (title and body) into the database.
Impact: Information Disclosure
Below is the effected function.
https://github.com/cu/silicon/blob/a9ef3681896481bbb443197b9d1c4cb7d22a5983/silicon/page.py#L66-L80
def write(title, body):
"""
* Write a new revision (title and body) to the database.
* If there was a problem, return error message.
"""
try:
db = get_db()
db.execute(
"INSERT INTO pages (revision, title, body) VALUES (?, ?, ?)",
(datetime.now().isoformat(), title, body)
)
db.commit()
except Exception as err:
current_app.logger.critical(f"Error saving page {title}: {err}")
return "Unable to save page"