-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jQuery 1.12.4 Security Risks in ydata-profiling HTML Reports #1617
Labels
Comments
Hi @AndresDiagoM , this is a duplicated issue from #1600 and #1599. Also, the team is working actively on this as you can see by the development in the following PRs:
If you have more details to add to one of those I'll ask you to add there and upvote the issues. I'll be closing this one to avoid duplication. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behaviour
The ydata-profiling project is currently using jQuery version 1.12.4 in the HTML reports generated by the HTMLReport() function located in ydata_profiling/src/ydata_profiling/profile_report.py. This version of the library is known to have multiple security vulnerabilities that are documented in the National Vulnerability Database (NVD), including CVE-2020-11023 and CVE-2020-11022. These vulnerabilities expose users to potential cross-site scripting (XSS) attacks, which can compromise user security by allowing attackers to execute malicious scripts in users' browsers.
The HTMLReport() function is specifically responsible for creating the HTML output that includes the outdated and vulnerable version of jQuery. This incorporation of a vulnerable library directly affects the security of the application, putting user data at risk of XSS exploits.
For more details on these vulnerabilities, refer to the NVD:
CVE-2020-11023 on NVD
CVE-2020-11022 on NVD
Expected Behaviour
The project ydata-profiling should be using a version of jQuery that is free from known security vulnerabilities to ensure the safety and security of its users. Ideally, the library should be updated to the latest stable version, such as jQuery 3.x, which has addressed and resolved the existing vulnerabilities found in earlier versions like 1.12.4.
Using a secure version of jQuery would prevent potential cross-site scripting (XSS) attacks that can be leveraged through vulnerabilities in older versions. This would help in maintaining the integrity and confidentiality of the user data processed by the ydata-profiling tool.
Data Description
N/A
Code that reproduces the bug
pandas-profiling version
4.7.0
Dependencies
OS
No response
Checklist
The text was updated successfully, but these errors were encountered: