CVE-2019-1020019

Name of the Vulnerable Software and Affected Versions: invenio-previewer versions prior to 1.0.0a12

Description: A Cross-Site Scripting (XSS) issue has been found in the JSON, Markdown, and iPython Notebook previewers. This would allow a malicious user to upload a file with embedded scripts that would be executed by a victim's browser.

Recommendations: For versions prior to 1.0.0a12, update to version 1.0.0a12 to fix the issue. As a temporary workaround, consider disabling the affected previewers by modifying the configuration to exclude 'json prismjs', 'mistune', and 'ipynb' from PREVIEWER PREFERENCE.