CVE-2023-45815

Name of the Vulnerable Software and Affected Versions ArchiveBox (affected versions not specified)

Description The issue affects users of the wget extractor who view the content it outputs. If a user is logged in to the ArchiveBox admin site in the same browser session and views an archived malicious page, malicious Javascript could act using the logged-in admin credentials, allowing it to add, remove, or modify snapshots, users, and perform other admin actions. For non-logged-in users, the impact is less severe, as malicious Javascript can only read archived content. The issue arises because all archived content is served from the same host and port as the admin panel, defeating browser security protections.

Recommendations To mitigate the issue, disable the wget extractor by setting archivebox config --set SAVE WGET=False. Ensure you are always logged out when viewing archived content. Serve only a static HTML version of your archive to minimize the risk of exploitation. Disable the dom extractor by setting archivebox config --set SAVE DOM=False to further reduce the risk.