CVE-2019-1020005
Description
Invenio-Communities before 1.0.0a20 contains a cross-site scripting (XSS) vulnerability due to unsanitized HTML output in templates.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Invenio-Communities before 1.0.0a20 contains a cross-site scripting (XSS) vulnerability due to unsanitized HTML output in templates.
Vulnerability
Overview
CVE-2019-1020005 is a cross-site scripting (XSS) vulnerability in invenio-communities, a Python package for managing communities in the Invenio digital library framework. The flaw exists in versions prior to 1.0.0a20 and stems from insufficient sanitization of user-supplied content when rendering HTML templates [1][2]. The commit that fixes the issue introduces the bleach library to properly escape output, confirming the root cause [4].
Exploitation
An attacker can exploit this vulnerability by injecting malicious scripts into community-related fields (e.g., names or descriptions) that are later displayed to other users. The attack can be performed over the network without requiring authentication or elevated privileges, as the vulnerable input is typically user-facing [1]. The attack complexity is low, and no special prerequisites are needed beyond the ability to submit data to the application.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, data theft, defacement, or other malicious actions that the victim's browser can perform [2]. The severity is rated as high due to the potential for widespread impact on users of affected Invenio instances.
Mitigation
The vulnerability is fixed in invenio-communities version 1.0.0a20 and later. Users are strongly advised to upgrade to the latest release. The fix is implemented in commit 505da72c5acd7dfbd4148f884c73c9c3372b76f4, which adds HTML sanitization via the bleach library [4]. No workarounds are documented; upgrading is the recommended course of action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
invenio-communitiesPyPI | < 1.0.0a20 | 1.0.0a20 |
Affected products
2- Range: < 1.0.0a20
Patches
1505da72c5acdviews: sanitize HTML output in templates
5 files changed · +75 −24
invenio_communities/config.py+38 −0 modified@@ -120,3 +120,41 @@ COMMUNITIES_URL_COMMUNITY_VIEW = \ '{protocol}://{host}/communities/{community_id}/' """String pattern to generate the URL for the view of a community.""" + +COMMUNITIES_ALLOWED_TAGS = [ + 'a', + 'abbr', + 'acronym', + 'b', + 'blockquote', + 'br', + 'code', + 'div', + 'em', + 'h1', + 'h2', + 'h3', + 'h4', + 'h5', + 'i', + 'li', + 'ol', + 'p', + 'pre', + 'span', + 'strike', + 'strong', + 'sub', + 'sup', + 'u', + 'ul', +] +"""List of allowed tags used to sanitize HTML output for communities.""" + +COMMUNITIES_ALLOWED_ATTRS = { + '*': ['class'], + 'a': ['href', 'title', 'name', 'class', 'rel'], + 'abbr': ['title'], + 'acronym': ['title'], +} +"""List of allowed attributes used to sanitize HTML output for communities."""
invenio_communities/templates/invenio_communities/about.html+1 −1 modified@@ -27,7 +27,7 @@ <div class="container"> <div class="row"> <div class="col-md-8"> - {{community.page|safe}} + {{ community.page | sanitize_html | safe }} </div> <div class="col-md-4"> <div class="well">{% include "invenio_communities/portalbox_main.html" %}</div>
invenio_communities/templates/invenio_communities/portalbox_main.html+2 −2 modified@@ -32,7 +32,7 @@ {%- endif %} <h4>{{community.title}}</h4> {%- if community.description %} -{{ community.description|safe }} +{{ community.description | sanitize_html | safe }} {%- endif %} {%- if community.page %} <a href="{{ url_for('invenio_communities.about', community_id=community.id) }}" class="pull-right"> @@ -45,7 +45,7 @@ <h4>{{community.title}}</h4> {%- if community.owner.profile and community.owner.profile.username %} <dt>{{ _('Curated by:') }}</dt><dd>{{ community.owner.profile.username }}</dd> {%- endif %} - <dt>{{ _('Curation policy:') }}</dt><dd>{{ community.curation_policy|safe|default(_('Not specified'), true) }}</dd> + <dt>{{ _('Curation policy:') }}</dt><dd>{{ community.curation_policy | sanitize_html | safe | default(_('Not specified'), true) }}</dd> <dt>{{ _('Created:') }}</dt><dd>{{ community.created|dateformat(format='long') }}</dd> <dt>{{ _('Harvesting API:') }}</dt><dd><a href="{{ community.oaiset_url }}">{{ _('OAI-PMH Interface') }}</a></dd> </dl>
invenio_communities/views/ui.py+12 −0 modified@@ -29,6 +29,7 @@ import copy from functools import wraps +import bleach from flask import Blueprint, abort, current_app, flash, jsonify, redirect, \ render_template, request, url_for from flask_babelex import gettext as _ @@ -53,6 +54,17 @@ ) +@blueprint.app_template_filter('sanitize_html') +def sanitize_html(value): + """Sanitizes HTML using the bleach library.""" + return bleach.clean( + value, + tags=current_app.config['COMMUNITIES_ALLOWED_TAGS'], + attributes=current_app.config['COMMUNITIES_ALLOWED_ATTRS'], + strip=True, + ).strip() + + def pass_community(f): """Decorator to pass community.""" @wraps(f)
setup.py+22 −21 modified@@ -34,19 +34,19 @@ history = open('CHANGES.rst').read() tests_require = [ - 'Flask-CeleryExt>=0.2.2', + 'Flask-CeleryExt>=0.3.2', 'SQLAlchemy-Continuum>=1.2.1', 'check-manifest>=0.25', - 'coverage>=4.0', - 'invenio-mail>=1.0.0a3', - 'invenio-oaiserver>=1.0.0a9', + 'coverage>=4.5.3', + 'invenio-mail>=1.0.2', + 'invenio-oaiserver>=1.0.3', 'isort>=4.3.3', 'mock>=1.3.0', 'pydocstyle>=1.0.0', 'pytest-cache>=1.0', - 'pytest-cov>=1.8.0', + 'pytest-cov>=2.7.1', 'pytest-pep8>=1.0.6', - 'pytest>=2.8.0,!=3.3.0', + 'pytest>=4.6.4,<5.0.0', ] extras_require = { @@ -60,13 +60,13 @@ 'Flask-Mail>=0.9.1', ], 'oai': [ - 'invenio-oaiserver>=1.0.0a8', + 'invenio-oaiserver>=1.0.3', ], 'mysql': [ - 'invenio-db[mysql]>=1.0.0b3', + 'invenio-db[mysql]>=1.0.3', ], 'postgresql': [ - 'invenio-db[postgresql]>=1.0.0b3', + 'invenio-db[postgresql]>=1.0.3', ], 'sqlite': [ 'invenio-db>=1.0.0b3', @@ -86,20 +86,21 @@ ] install_requires = [ - 'Flask-BabelEx>=0.9.3', - 'Flask>=0.11.1', + 'bleach>=2.1.3', 'elasticsearch-dsl>=2.0.0,<3.0.0', 'elasticsearch>=2.0.0,<3.0.0', - 'invenio-access>=1.0.0a11', - 'invenio-accounts>=1.0.0b1', - 'invenio-assets>=1.0.0b2', - 'invenio-files-rest>=1.0.0.a14', - 'invenio-indexer>=1.0.0a8', - 'invenio-pidstore>=1.0.0b1', - 'invenio-records>=1.0.0b1', - 'invenio-rest[cors]>=1.0.0a9', - 'invenio-search>=1.0.0a9', - 'marshmallow>=2.15.0', + 'Flask-BabelEx>=0.9.3', + 'Flask>=0.11.1', + 'invenio-access>=1.1.0', + 'invenio-accounts>=1.1.0', + 'invenio-assets>=1.1.2', + 'invenio-files-rest>=1.0.0b1', + 'invenio-indexer>=1.0.2', + 'invenio-pidstore>=1.0.0', + 'invenio-records>=1.2.0', + 'invenio-rest[cors]>=1.0.0', + 'invenio-search>=1.1.0', + 'marshmallow>=2.15.0,<3', ] packages = find_packages()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mfv8-q39f-mgfgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1020005ghsaADVISORY
- github.com/inveniosoftware/invenio-communities/commit/505da72c5acd7dfbd4148f884c73c9c3372b76f4ghsaPACKAGE
- github.com/inveniosoftware/invenio-communities/security/advisories/GHSA-mfv8-q39f-mgfgghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/invenio-communities/PYSEC-2019-25.yamlghsaWEB
News mentions
0No linked articles in our index yet.