CVE-2024-41675

Name of the Vulnerable Software and Affected Versions CKAN versions 2.7.0 through 2.10.4 CKAN version 2.11.0 is not affected, but versions prior to 2.11.0 are vulnerable if they are earlier than 2.10.5.

Description The Datatables view plugin in CKAN did not properly escape record data coming from the DataStore, leading to a potential XSS vector. This issue affects sites running CKAN with the datatables view plugin activated, which is a plugin included in CKAN core but not activated by default. It is widely used to preview tabular data.

Recommendations For CKAN versions 2.7.0 through 2.10.4, update to CKAN 2.10.5 or later to fix the vulnerability. For CKAN versions prior to 2.11.0 and earlier than 2.10.5, update to CKAN 2.11.0 or later to fix the vulnerability. As a temporary workaround, consider preventing the import of tabular files to the DataStore via DataPusher, XLoader, etc., at least those published from untrusted sources.