CVE-2019-1020003
Description
Invenio-Records before 1.2.2 has a stored XSS vulnerability in its administration interface, allowing attackers with upload access to inject scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Invenio-Records before 1.2.2 has a stored XSS vulnerability in its administration interface, allowing attackers with upload access to inject scripts.
Vulnerability
Description
A Cross-Site Scripting (XSS) vulnerability exists in invenio-records versions prior to 1.2.2. The issue arises from improper sanitization of JSON data when rendering records in the administration interface, allowing arbitrary script execution [1][4].
Exploitation
An attacker with access to upload new records can craft a malicious payload within the record's JSON data. When an administrator later views that record in the admin interface, the payload is executed in the context of the admin's browser [1][3]. The attack requires the attacker to have record upload privileges, but no additional authentication on the admin's side.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser session. This can lead to theft of session cookies, page content manipulation, or other actions performed as the admin user, potentially compromising the entire repository [1][4].
Mitigation
The vulnerability has been fixed in versions 1.0.1, 1.1.1, and 1.2.2 of invenio-records. Users should upgrade to any of these patched versions immediately [1][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
invenio-recordsPyPI | < 1.0.2 | 1.0.2 |
invenio-recordsPyPI | >= 1.1.0, < 1.1.1 | 1.1.1 |
invenio-recordsPyPI | >= 1.2.0, < 1.2.2 | 1.2.2 |
Affected products
2- Invenio/invenio-recordsv5Range: < 1.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-vxh3-mvv7-265jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1020003ghsaADVISORY
- github.com/inveniosoftware/invenio-records/security/advisories/GHSA-vxh3-mvv7-265jghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/invenio-records/PYSEC-2019-27.yamlghsaWEB
News mentions
0No linked articles in our index yet.