CVE-2019-1020019

According to NVD [1], invenio-previewer before 1.0.0a12 contains multiple Cross-Site Scripting (XSS) vulnerabilities. The flaws exist in the JSON, Markdown, and iPython Notebook previewers, where user-uploaded file content is rendered without proper sanitization, allowing embedded scripts to execute in the browser [3][4].

An attacker can exploit these vulnerabilities by uploading a maliciously crafted JSON, Markdown, or iPython Notebook file containing embedded JavaScript. When a victim views the file using the affected previewer, the script executes in the victim's browser context. The attack requires the ability to upload files but no special privileges beyond that [3][4].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data [3].

The issue is fixed in invenio-previewer version 1.0.0a12. As a workaround, administrators can disable the affected previewers (json_prismjs, mistune, ipynb) by modifying the PREVIEWER_PREFERENCE configuration list [3][4].