GHSA-8c6x-g4fw-8rf4: 
Python vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in WhatsApp-Chat-Exporter (GHSA-8c6x-g4fw-8rf4), affecting versions prior to 0.9.5. The vulnerability was found in the HTML output of chats, where the Jinja template engine's escape function was not properly configured due to missing autoescape=True setting. The issue was published on July 9, 2023, and subsequently patched in version 0.9.5 (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 score of 5.4 (Moderate severity), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The technical root cause was identified as a missing autoescape=True parameter when setting up the Jinja environment, which is essential for preventing XSS attacks. The vulnerability is categorized as CWE-79 (Cross-site Scripting) (GitHub Advisory).

While the actual impact is considered low due to the HTML file being viewed offline, the vulnerability could allow an adversary to inject malicious payloads into the chat through WhatsApp. The vulnerability affects all users of the affected versions, potentially compromising both confidentiality and integrity at a low level, though availability remains unaffected (GitHub Advisory).

The vulnerability has been patched in version 0.9.5 of WhatsApp-Chat-Exporter. Users are strongly advised to update to this latest version as no alternative workarounds are available. The fix involves adding autoescape=True to the Jinja environment configuration (GitHub Commit).