Simonw

**Name of the Vulnerable Software and Affected Versions** Datasette versions 1.0a0 through 1.0a3 **Description** The issue affects Datasette instances running in an online accessible location with authentication enabled using a plugin such as datasette-auth-passwords. The `/-/api` API endpoint could reveal the names of both databases and tables, but not their contents, to an unauthenticated user. Datasette 1.0a4 has a fix for this issue, which blocks access to the API explorer but still allows access to the Datasette read or write JSON APIs. **Recommendations** For versions 1.0a0 through 1.0a3, update to version 1.0a4 to resolve the issue. As a temporary workaround for versions 1.0a0 through 1.0a3, block all traffic to the `/-/api` endpoint, which can be done with a proxy such as Apache or NGINX, or by installing the datasette-block plugin and adding the necessary configuration to your metadata.json or metadata.yml file.

**Name of the Vulnerable Software and Affected Versions** Datasette versions prior to 0.56.1 Datasette versions prior to 0.57 **Description** The `? trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting issue. This is particularly relevant if the Datasette installation includes authenticated features using plugins such as `datasette-auth-passwords`, as an attacker could use the issue to access protected data. **Recommendations** For versions prior to 0.56.1, update to version 0.56.1 or later to resolve the issue. For versions prior to 0.57, update to version 0.57 or later to resolve the issue. As a temporary workaround, consider rejecting any incoming requests with `? trace=` or `& trace=` in their query string parameters if you run Datasette behind a proxy.