cvelistv5 - cve-2022-24833

CVE-2022-24833 (GCVE-0-2022-24833)

Vulnerability from cvelistv5

Published

2022-04-11 20:20

Modified

2025-04-22 18:16

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.

References

►

URL

Tags

security-advisories@github.com	https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	PrivateBin	PrivateBin	Version: >= v0.21, < v1.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24833",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:48:55.618680Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T18:16:25.428Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PrivateBin",
          "vendor": "PrivateBin",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= v0.21, \u003c v1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-11T20:20:33.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
        }
      ],
      "source": {
        "advisory": "GHSA-cqcc-mm6x-vmvw",
        "discovery": "UNKNOWN"
      },
      "title": "Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24833",
          "STATE": "PUBLIC",
          "TITLE": "Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PrivateBin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= v0.21, \u003c v1.4.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "PrivateBin"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw",
              "refsource": "CONFIRM",
              "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
            },
            {
              "name": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab",
              "refsource": "MISC",
              "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-cqcc-mm6x-vmvw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24833",
    "datePublished": "2022-04-11T20:20:33.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-22T18:16:25.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24833\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-04-11T21:15:08.640\",\"lastModified\":\"2024-11-21T06:51:11.973\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.\"},{\"lang\":\"es\",\"value\":\"PrivateBin es un clon de pastebin online minimalista y de c\u00f3digo abierto en el que el servidor no presenta conocimiento de los datos pegados. En PrivateBin versiones anteriores a v1.4.0, se ha encontrado una vulnerabilidad de tipo cross-site scripting (XSS). La vulnerabilidad est\u00e1 presente en todas las versiones a partir de la versi\u00f3n v0.21 del proyecto, que en ese momento todav\u00eda era llamado ZeroBin. El problema est\u00e1 causado por el hecho de que los SVG pueden contener JavaScript. Esto puede permitir a un atacante ejecutar c\u00f3digo, si el usuario abre una pasta con un archivo adjunto SVG espec\u00edficamente dise\u00f1ado, e interact\u00faa con la imagen de vista previa y la instancia no est\u00e1 protegida por una pol\u00edtica de seguridad de contenido apropiada. Es recomendado a usuarios actualizar a versi\u00f3n 1.4.0, o que aseguren de que la pol\u00edtica de seguridad de contenidos de su instancia est\u00e1 configurada correctamente\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.21\",\"versionEndExcluding\":\"1.4.0\",\"matchCriteriaId\":\"CC75A39A-6AC5-40B1-A781-48691EC6720F\"}]}]}],\"references\":[{\"url\":\"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"PrivateBin\", \"vendor\": \"PrivateBin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= v0.21, \u003c v1.4.0\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-04-11T20:20:33.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\"}], \"source\": {\"advisory\": \"GHSA-cqcc-mm6x-vmvw\", \"discovery\": \"UNKNOWN\"}, \"title\": \"Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-24833\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"PrivateBin\", \"version\": {\"version_data\": [{\"version_value\": \"\u003e= v0.21, \u003c v1.4.0\"}]}}]}, \"vendor_name\": \"PrivateBin\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\"}, {\"name\": \"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\", \"refsource\": \"MISC\", \"url\": \"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\"}]}, \"source\": {\"advisory\": \"GHSA-cqcc-mm6x-vmvw\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T04:20:50.540Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-24833\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:48:55.618680Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:48:57.357Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-24833\", \"datePublished\": \"2022-04-11T20:20:33.000Z\", \"dateReserved\": \"2022-02-10T00:00:00.000Z\", \"dateUpdated\": \"2025-04-22T18:16:25.428Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2022-24833

Vulnerability from fkie_nvd

Published

2022-04-11 21:15

Modified

2024-11-21 06:51

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	privatebin	privatebin	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC75A39A-6AC5-40B1-A781-48691EC6720F",
              "versionEndExcluding": "1.4.0",
              "versionStartIncluding": "0.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly."
    },
    {
      "lang": "es",
      "value": "PrivateBin es un clon de pastebin online minimalista y de c\u00f3digo abierto en el que el servidor no presenta conocimiento de los datos pegados. En PrivateBin versiones anteriores a v1.4.0, se ha encontrado una vulnerabilidad de tipo cross-site scripting (XSS). La vulnerabilidad est\u00e1 presente en todas las versiones a partir de la versi\u00f3n v0.21 del proyecto, que en ese momento todav\u00eda era llamado ZeroBin. El problema est\u00e1 causado por el hecho de que los SVG pueden contener JavaScript. Esto puede permitir a un atacante ejecutar c\u00f3digo, si el usuario abre una pasta con un archivo adjunto SVG espec\u00edficamente dise\u00f1ado, e interact\u00faa con la imagen de vista previa y la instancia no est\u00e1 protegida por una pol\u00edtica de seguridad de contenido apropiada. Es recomendado a usuarios actualizar a versi\u00f3n 1.4.0, o que aseguren de que la pol\u00edtica de seguridad de contenidos de su instancia est\u00e1 configurada correctamente"
    }
  ],
  "id": "CVE-2022-24833",
  "lastModified": "2024-11-21T06:51:11.973",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-11T21:15:08.640",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-cqcc-mm6x-vmvw

Vulnerability from github

Published

2022-04-12 20:45

Modified

2022-04-20 16:29

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Summary

Persistent Cross-site Scripting vulnerability in PrivateBin

Details

In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present since attachments with image preview got introduced in v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy.

As a consequence, we have mitigated the vulnerability in the preview and urge server administrators to either upgrade to a version with the fix or to ensure the content security policy of their instance is set correctly, ideally both. Additionally, we expanded our directory listing tool with a checking mechanism and highly suggest server administrators to check their instance there and, should there be a warning regarding the content security policy adjust the CSP to our suggested one, as it is shown in the configuration preset.

Proof of concept

The vulnerability can be triggered as following:

Create the following SVG as a file: ```svg

alert(document.domain);

`` 2. Upload it as an attachment to a PrivateBin instance that has attachments enabled and hasn't set the recommended content security policy (in particular, one that has either no content security policy set or that allows*orblob:as ascript-src). 3. Open the paste. (In a real attack scenario this would be done by the victim.) 4. The SVG is rendered safely as a preview, and script isn't yet executed. 5. Now (depending on your device) right-click or long tap on the image and open it in a new tab. 6. Now ablob:` URI opens in a new tab with the image and the modal is shown, therefore the script got executed.

Impact

We tried to reproduce the vulnerability and in our assessment, we found out the following:

Any users who use our recommended Content Security Policy (CSP), even older, less strict ones, are not affected by this vulnerability, if a CSP compatible browser is used. All the browsers we tested with did pass on the CSP to the new tab that is opened when viewing the SVG by itself. As PrivateBin ships with a built-in CSP, we consider this a strong defence in depth against these and related issues. That said, we think the CSP should only be the last layer of defence and as such, we decided to still apply further mitigations for this security issue.
Instances that do not have attachments enabled, are not affected. Even when attachments are uploaded using a third-party client, they can't be rendered when the administrator disables them (the HTML element that they would render in isn't present and before 1.4 this caused an error, we now catch the error and only display the paste text) and thus potential exploits in the attachment file do not apply.
The inline preview (step 4 above) does not execute the script, because browsers explicitly restrict SVGs if the they are is embedded in an img tag to prevent such security issues in images. Thus, SVGs in img tags itself can be considered safe. However, when the user opens the SVG in a new tab, this browser security feature is circumvented. That's why the exploit steps above explain to open the SVG in a new tab. That being said, the impact of the vulnerability is reduced by two factors:
1. The attack explicitly requires user-interaction, i.e. the user has to be tricked into opening the preview in a new tab for some reason. This could realistically be achieved with some social engineering: The markdown formatted text part of the paste could include such an instruction as a big, bold title, or the SVG could be very large and have very small text, which the user might want to zoom into, in order to read.
2. Potential exploit code can only run in a new tab. It still has the same origin (as can be seen in the PoC above, because the domain/origin the script is running on, is shown). However, though, sensitive information like the paste content, potential comments or encryption key (in the URL) is not accessible to the attacker as the context is now a blob-URL – and would anyway consist mostly of things the attacker initially created itself. That said, the same origin policy applies and thus, what an attacker could do is read e.g. cookies and local storage data saved in the same origin. As PrivateBin itself does not use any of that, the impact of this vulnerability is limited. However, as PrivateBin is a software for self-hosting, it cannot be excluded that other services run in the same origin (e.g. on the same domain). That's why server administrators may need to evaluate the impact of running arbitrary JavaScript code on their domain/origin where PrivateBin is hosted by themselves.

To summarize, this shows a fairly limited impact, given even if the CSP had not caught the issue, the user still needs to interact with the page and the exploit code cannot access or exfiltrate any data of the PrivateBin instance. Note: However, take our assessment only as a basis for your own assessment. As explained, depending on your environment, the actual risk may vary if you are hosting other services on the same domain as PrivateBin.

As for the metrics, the impact assessment we have done with CVSS v3.1 results in this: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:X/MI:X/MA:X

Real-life impact

We found two affected instances in our instance lists (wiki, directory) that did not serve a correct Content Security Policy header, had attachments enabled and thus are vulnerable to this attack. We didn't manage to get into contact with the administrators of these sites, though.

In addition to that, we found that multiple instances do seem to either strip our CSP or have it changed to an unsafe setting and have thus expanded our directory service to verify whether our recommend CSP is used or not. (see below) We have no reports that indicate this vulnerability was or is being actively exploited at the time of this report.

Patches

To fix the problem, we took the following measures (in no particular order):

We apply DOMpurify (a library we already use to sanitize user-submitted HTML via the Markdown format) to the SVG preview, too. It strips script tags and other uncommon security-relevant and potentially malicious tags/properties from the SVG file. So whether you open the SVG in a new tab or not and whether CSP is present and enabled or not does not matter any more, as the displayed SVG is sanitized.
As a further defence in depth mechanism we now send the CSP both as an HTTP header, as well as a meta tag. This protects instance with mis-configured web servers, CDNs, proxy or similar, from stripping or breaking the CSP headers, as they still get the CSP inside of the HTML content itself. Please note though, that the meta tag approach is not as strong as the HTTP header approach and should thus only be considered as a fallback.
The PrivateBin Directory now also scans whether the recommend Content-Security-Policy header is used on a given instance. If you do not want to have your website appear in the list, but check it manually you can use a separate check page there.

The code-changes in PrivateBin can be found in https://github.com/PrivateBin/PrivateBin/pull/906.

Note: Please note that we explicitly chose to not apply DOMPurify if you download the (SVG) attachment with the download button. Subsequently, if a user would manually opens the downloaded SVG in the browser, it will be opened from the file:// protocol and thus from a different origin, so all reference to the download location is lost and no more security risk is associated with that, than opening any website or local HTML file. Thus, the SVG file with stay intact in it's original form, if you download the attachment. We consider the execution of code from attachments outside of the PrivateBin instance's context to be out of scope to mitigate (i.e. malware in executables, office documents macros, PDF scripts), as all of these require client side mitigations to be applied to all such downloaded file types, independent on where they get downloaded from.

Workarounds

We strongly recommend you to upgrade to our latest release, especially as we also upgraded outdated and potential vulnerable libraries (see below). However, here are two workarounds that may help you to mitigate this vulnerability:

Update the CSP in your configuration file to the latest recommended settings and check that it isn't getting reverted or overwritten by your web server, reverse proxy or CDN, i.e. using our offered check service.
Deploying PrivateBin on a separate domain may limit the scope of the vulnerability to PrivateBin itself and thus, as described in the “Impact” section, effectively prevent any damage by the vulnerability to other resources you are hosting.
As explained in the impact assessment, disabling attachments also prevents this issue.

References

We highly encourage server administrators and others involved with the PrivateBin project to read-up on how Content-Security-Policies work, especially should you consider to manually adjust it: * https://content-security-policy.com/ * https://developer.mozilla.org/docs/Web/HTTP/CSP * https://developers.google.com/web/fundamentals/security/csp/

Also please note that if multiple headers are set (as e.g. done via our now introduced meta tag) browsers should apply the most restrictive set of the policies, as per the CSP specification.

For more information

Please notice we also upgraded jQuery that was reported to us as being vulnerable both by our automated container security scanning as well as by users. By doing so, we also updated all other dependencies we use. Our tooling identified the following vulnerabilities in jQuery: * CVE-2020-11023 * CVE-2020-11022

In a limited assessment about these when we were made aware of them we could not find any immediate risk, but nevertheless, we encourage users to upgrade to be on the safe side.

Finally, we also upgraded zlib to address CVE-2018-25032.

Timeline

2022-02-22 – Initial contact by reporter.
2022-02-25 – Reporter sends in a detailed report.
2022-02-26 – Report gets reviewed, initial findings around the content security get shared and reporter withdraws report.
2022-04-09 – Vulnerability details published.

Credits

This vulnerability was reported by Ian Budd, Nethemba s.r.o, which we'd like to thank for that. In general, we'd like to thank everyone reporting issues and potential vulnerabilities to us.

If you think you have found a vulnerability or potential security risk, we'd kindly ask you to follow our security policy and report it to us. We then assess the report and will take the actions we deem necessary to address it.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "privatebin/privatebin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.21"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-12T20:45:22Z",
    "nvd_published_at": "2022-04-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present since attachments with image preview got introduced in v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy.\n\nAs a consequence, we have mitigated the vulnerability in the preview and urge server administrators to either **upgrade** to a version with the fix or to ensure the content security policy of their instance is set correctly, ideally both. Additionally, we expanded our [directory listing tool with a checking mechanism](https://privatebin.info/directory/check) and **highly suggest server administrators to check their instance there** and, should there be a warning regarding the content security policy **adjust the CSP to our suggested one**, as it is shown in the configuration preset.\n\n## Proof of concept\n\nThe vulnerability can be triggered as following:\n\n1. Create the following SVG as a file:\n```svg\n\u003c?xml version=\"1.0\" standalone=\"no\"?\u003e\n\u003c!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"\u003e\n\n\u003csvg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\n \u003cpolygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/\u003e\n \u003cscript type=\"text/javascript\"\u003e\n   alert(document.domain);\n \u003c/script\u003e\n\u003c/svg\u003e\n```\n2. Upload it as an attachment to a PrivateBin instance that has attachments enabled and hasn\u0027t set the recommended content security policy (in particular, one that has either no content security policy set or that allows `*` or `blob:` as a `script-src`).\n3. Open the paste. (In a real attack scenario this would be done by the victim.)\n4. The SVG is rendered safely as a preview, and script isn\u0027t yet executed.\n5. Now (depending on your device) right-click or long tap on the image and open it in a new tab.\n6. Now a `blob:` URI opens in a new tab with the image and the modal is shown, therefore the script got executed.\n\n## Impact\n\nWe tried to reproduce the vulnerability and in our assessment, we found out the following:\n\n1. Any users who use our recommended _Content Security Policy_ (CSP), even older, less strict ones, are **not affected** by this vulnerability, if a [CSP compatible browser](https://caniuse.com/contentsecuritypolicy) is used. All the browsers we tested with did pass on the CSP to the new tab that is opened when viewing the SVG by itself.\n  As PrivateBin ships with a [built-in CSP](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader), we consider this a strong defence in depth against these and related issues. That said, we think the CSP should only be the last layer of defence and as such, we decided to still apply further mitigations for this security issue.\n2. Instances that do not have attachments enabled, are not affected. Even when attachments are uploaded using a third-party client, they can\u0027t be rendered when the administrator disables them (the HTML element that they would render in isn\u0027t present and before 1.4 this caused an error, we now catch the error and only display the paste text) and thus potential exploits in the attachment file do not apply.\n3. The inline preview (step 4 above) does _not_ execute the script, because [browsers explicitly restrict SVGs if the they are is embedded in an `img` tag](https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions) to prevent such security issues in images. Thus, [SVGs in `img` tags itself can be considered safe](https://www.w3.org/TR/CSP2/#which-policy-applies).\n  However, when the user opens the SVG in a new tab, this browser security feature is circumvented. That\u0027s why the exploit steps above explain to open the SVG in a new tab. That being said, the impact of the vulnerability is reduced by two factors:\n    1. The attack explicitly requires **user-interaction**, i.e. the user has to be tricked into opening the preview in a new tab for some reason. This could realistically be achieved with some social engineering: The markdown formatted text part of the paste could include such an instruction as a big, bold title, or the SVG could be very large and have very small text, which the user might want to zoom into, in order to read. \n    2. Potential exploit code can only run in a new tab. It still has the same origin (as can be seen in the PoC above, because the domain/origin the script is running on, is shown). However, though, sensitive information like the paste content, potential comments or encryption key (in the URL) is not accessible to the attacker as the context is now a blob-URL \u2013 and would anyway consist mostly of things the attacker initially created itself.\n      That said, [the same origin policy applies](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and thus, what an attacker could do is read e.g. cookies and local storage data saved in the same origin. As PrivateBin itself does not use any of that, the impact of this vulnerability is limited. However, as PrivateBin is a software for self-hosting, it cannot be excluded that other services run in the same origin (e.g. on the same domain). That\u0027s why server administrators may need to evaluate the impact of running arbitrary JavaScript code on their domain/origin where PrivateBin is hosted by themselves.\n\nTo summarize, this shows a fairly limited impact, given even if the CSP had not caught the issue, the user still needs to interact with the page and the exploit code cannot access or exfiltrate any data of the PrivateBin instance.\n**Note:** However, take our assessment only as a basis for your own assessment. As explained, depending on your environment, the actual risk may vary if you are hosting other services on the same domain as PrivateBin.\n\nAs for the metrics, the impact assessment we have done with [CVSS v3.1](https://nvd.nist.gov/vuln-metrics/cvss) results in this:\n[AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:X/MI:X/MA:X](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:X/MI:X/MA:X\u0026version=3.1)\n\n### Real-life impact\n\nWe found two affected instances in our instance lists (wiki, directory) that did not serve a correct Content Security Policy header, had attachments enabled and thus are vulnerable to this attack. We didn\u0027t manage to get into contact with the administrators of these sites, though.\n\nIn addition to that, we found that multiple instances do seem to either strip our CSP or have it changed to an unsafe setting and have thus expanded our directory service to verify whether our recommend CSP is used or not. (see below)\nWe have no reports that indicate this vulnerability was or is being actively exploited at the time of this report.\n\n## Patches\nTo fix the problem, we took the following measures (in no particular order):\n\n* We apply [DOMpurify](https://github.com/cure53/DOMPurify/) (a library we already use to sanitize user-submitted HTML via the Markdown format) to the SVG preview, too. It strips script tags and other uncommon security-relevant and potentially malicious tags/properties from the SVG file.\n  So whether you open the SVG in a new tab or not and whether CSP is present and enabled or not does not matter any more, as the displayed SVG is sanitized.\n* As a further defence in depth mechanism we now send the CSP both as an HTTP header, as well as a meta tag. This protects instance with  mis-configured web servers, CDNs, proxy or similar, from stripping or breaking the CSP headers, as they still get the CSP inside of the HTML content itself. Please note though, that the [meta tag approach is not as strong as the HTTP header approach](https://content-security-policy.com/examples/meta/) and should thus only be considered as a fallback. \n* The [PrivateBin Directory](https://privatebin.info/) now also scans whether the recommend Content-Security-Policy header is used on a given instance. If you do not want to have your website appear in the list, but check it manually [you can use a separate check page](https://privatebin.info/directory/check) there.\n\nThe code-changes in PrivateBin can be found in https://github.com/PrivateBin/PrivateBin/pull/906.\n\n**Note:** Please note that we explicitly chose to _not_ apply _DOMPurify_ if you download the (SVG) attachment with the download button. Subsequently, if a user would manually opens the downloaded SVG in the browser, it will be opened from the `file://` protocol and thus from a [different origin](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy), so all reference to the download location is lost and no more security risk is associated with that, than opening any website or local HTML file. Thus, the SVG file with stay intact in it\u0027s original form, if you download the attachment. \nWe consider the execution of code from attachments outside of the PrivateBin instance\u0027s context to be out of scope to mitigate (i.e. malware in executables, office documents macros, PDF scripts), as all of these require client side mitigations to be applied to all such downloaded file types, independent on where they get downloaded from.\n\n## Workarounds\n\nWe strongly recommend you to upgrade to our latest release, especially as we also upgraded outdated and potential vulnerable libraries (see below). However, here are two workarounds that may help you to mitigate this vulnerability:\n\n* Update the [CSP in your configuration file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader) to the latest recommended settings and check that it isn\u0027t getting reverted or overwritten by your web server, reverse proxy or CDN, i.e. using [our offered check service](https://privatebin.info/directory/check).\n* Deploying PrivateBin on a separate domain may limit the scope of the vulnerability to PrivateBin itself and thus, as described in the \u201cImpact\u201d section, effectively prevent any damage by the vulnerability to other resources you are hosting.\n* As explained in the impact assessment, disabling attachments also prevents this issue.\n\n## References\nWe highly encourage server administrators and others involved with the PrivateBin project to read-up on how Content-Security-Policies work, especially should you consider to manually adjust it:\n* https://content-security-policy.com/\n* https://developer.mozilla.org/docs/Web/HTTP/CSP\n* https://developers.google.com/web/fundamentals/security/csp/\n\nAlso please note that if multiple headers are set (as e.g. done via our now introduced meta tag) [browsers should apply the most restrictive set of the policies](https://stackoverflow.com/a/51153816/5008962), [as per the CSP specification](https://www.w3.org/TR/CSP2/#enforcing-multiple-policies).\n\n## For more information\n\nPlease notice we also upgraded [jQuery](https://github.com/PrivateBin/PrivateBin/pull/880) that was reported to us as being vulnerable both by [our automated container security scanning](https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/69#issue-1006943396) as well as [by users](https://github.com/PrivateBin/PrivateBin/issues/864).\nBy doing so, we also updated all [other dependencies we use](https://github.com/PrivateBin/PrivateBin/pull/888). Our tooling identified the following vulnerabilities in jQuery:\n  * CVE-2020-11023\n  * CVE-2020-11022 \n\nIn [a limited assessment about these when we were made aware of them](https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/69#issuecomment-928261418) we could not find any immediate risk, but nevertheless, we encourage users to upgrade to be on the safe side.\n\nFinally, we also [upgraded zlib](https://github.com/PrivateBin/PrivateBin/pull/909) to address CVE-2018-25032.\n\n## Timeline\n\n* 2022-02-22 \u2013 Initial contact by reporter.\n* 2022-02-25 \u2013 Reporter sends in a detailed report.\n* 2022-02-26 \u2013 Report gets reviewed, initial findings around the content security get shared and reporter withdraws report.\n* 2022-04-09 \u2013 Vulnerability details published.\n\n## Credits\n\nThis vulnerability was reported by Ian Budd, [Nethemba s.r.o](https://www.nethemba.com/), which we\u0027d like to thank for that.\nIn general, we\u0027d like to thank everyone reporting issues and potential vulnerabilities to us.\n\nIf you think you have found a vulnerability or potential security risk, [we\u0027d kindly ask you to follow our security policy](https://github.com/PrivateBin/PrivateBin/blob/master/SECURITY.md) and report it to us. We then assess the report and will take the actions we deem necessary to address it.",
  "id": "GHSA-cqcc-mm6x-vmvw",
  "modified": "2022-04-20T16:29:00Z",
  "published": "2022-04-12T20:45:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PrivateBin/PrivateBin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Persistent Cross-site Scripting vulnerability in PrivateBin"
}

gsd-2022-24833

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-24833

Aliases

CVE-2022-24833

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24833",
    "description": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.",
    "id": "GSD-2022-24833"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24833"
      ],
      "details": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.",
      "id": "GSD-2022-24833",
      "modified": "2023-12-13T01:19:43.524252Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-24833",
        "STATE": "PUBLIC",
        "TITLE": "Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PrivateBin",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= v0.21, \u003c v1.4.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "PrivateBin"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw",
            "refsource": "CONFIRM",
            "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
          },
          {
            "name": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab",
            "refsource": "MISC",
            "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-cqcc-mm6x-vmvw",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=0.21,\u003c1.4.0",
          "affected_versions": "All versions starting from 0.21 before 1.4.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-04-19",
          "description": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.",
          "fixed_versions": [
            "1.4.0"
          ],
          "identifier": "CVE-2022-24833",
          "identifiers": [
            "CVE-2022-24833",
            "GHSA-cqcc-mm6x-vmvw"
          ],
          "not_impacted": "All versions before 0.21, all versions starting from 1.4.0",
          "package_slug": "packagist/privatebin/privatebin",
          "pubdate": "2022-04-11",
          "solution": "Upgrade to version 1.4.0 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24833",
            "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab",
            "https://github.com/advisories/GHSA-cqcc-mm6x-vmvw"
          ],
          "uuid": "da4bf264-5173-44f1-b452-257daa74f41b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.0",
                "versionStartIncluding": "0.21",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24833"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin \u003c v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn\u0027t protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab"
            },
            {
              "name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-04-19T15:29Z",
      "publishedDate": "2022-04-11T21:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-24833 (GCVE-0-2022-24833)

Vulnerability from cvelistv5

fkie_cve-2022-24833

Vulnerability from fkie_nvd

ghsa-cqcc-mm6x-vmvw

Vulnerability from github

Proof of concept

Impact

Real-life impact

Patches

Workarounds

References

For more information

Timeline

Credits

gsd-2022-24833

Vulnerability from gsd

Tags

Sightings

Nomenclature