CVE-2023-31584 - Cross Site Scripting vulnerability in cu/silicon

Github link: https://github.com/cu/silicon

Version Affected: 1

Severity and CVSS: Will update when review is done by NIST.

Type: Cross Site Scripting

Root Cause: Lack of proper input validation and sanitization before inserting user-provided data (title and body) into the database.

Impact: Information Disclosure

Below is the effected function.

https://github.com/cu/silicon/blob/a9ef3681896481bbb443197b9d1c4cb7d22a5983/silicon/page.py#L66-L80

def write(title, body):
    """
    * Write a new revision (title and body) to the database.
    * If there was a problem, return error message.
    """
    try:
        db = get_db()
        db.execute(
            "INSERT INTO pages (revision, title, body) VALUES (?, ?, ?)",
            (datetime.now().isoformat(), title, body)
        )
        db.commit()
    except Exception as err:
        current_app.logger.critical(f"Error saving page {title}: {err}")
        return "Unable to save page"