CVE-2023-45815: 
Python vulnerability analysis and mitigation

ArchiveBox, an open-source self-hosted web archiving system, was found to contain a security vulnerability (CVE-2023-45815) affecting all versions up to 0.6.2. The vulnerability is related to the wget extractor functionality and how archived content is executed in the browser context (GitHub Advisory).

The vulnerability stems from ArchiveBox's architecture where archived content is served from the same host and port as the admin panel. When archived pages are viewed, JavaScript executes in the same context as all other archived pages and the admin panel, effectively bypassing the browser's standard CORS/CSRF security protections. This is classified as CWE-79 (Cross-site Scripting) with a CVSS v3.1 base score of 6.4 (MEDIUM) according to GitHub's assessment, and 5.4 (MEDIUM) according to NVD's assessment (NVD).

The impact varies depending on user authentication status. For authenticated administrators, malicious JavaScript can potentially perform any administrative action, including adding/removing/modifying snapshots and users. For non-authenticated users, while they cannot modify archives, they can still read all archived content by accessing the snapshot index and iterating through it (GitHub Advisory).

Several workarounds are available: 1) Disable the wget extractor by setting archivebox config --set SAVE_WGET=False, 2) Ensure users are always logged out when viewing archived content, or 3) Serve only a static HTML version of the archive. A patch is being developed and tracked in GitHub issue #239 (GitHub Advisory).