CKAN Datatables View Plugin Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the CKAN open-source data management system, specifically within the Datatables view plugin. This issue affects CKAN versions 2.7.0 and later, where the plugin is activated. The vulnerability arises because the Datatables view plugin did not properly escape record data retrieved from the DataStore, creating a potential XSS vector. The Datatables view plugin is included in CKAN core but is not activated by default. However, it is widely used to preview tabular data.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a tabular file containing unescaped JavaScript into the DataStore of a CKAN instance running version 2.7.0 or later, with the Datatables view plugin activated. This can be done through the DataPusher or XLoader. Once the data is uploaded, access the resource through the Datatables view, which will execute the injected script, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to CKAN versions 2.10.5 or 2.11.0, where this vulnerability has been fixed. Additionally, as a temporary workaround, avoid importing tabular files from untrusted sources into the DataStore.