Cross-site scripting (XSS) vulnerability CVE-2024-37063

Current Behaviour

https://github.com/advisories/GHSA-2r57-2mrh-ggjv

A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the browser. References

https://nvd.nist.gov/vuln/detail/CVE-2024-37063
https://hiddenlayer.com/sai-security-advisory/ydata-june2024

Expected Behaviour

Secured

Data Description

N/A

Code that reproduces the bug

No response

pandas-profiling version

= 3.7.0, <= 4.8.3

Dependencies

N/A

OS

All OSes

Checklist

[X] There is not yet another bug report for this issue in the issue tracker
[X] The problem is reproducible from this bug report. This guide can help to craft a minimal bug report.
[X] The issue has not been resolved by the entries listed under Common Issues.

ydataai / ydata-profiling

Cross-site scripting (XSS) vulnerability CVE-2024-37063 #1599