Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin
Description
PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
privatebin/privatebinPackagist | >= 0.21, < 1.4.0 | 1.4.0 |
Affected products
2- Range: >= v0.21, < v1.4.0
Patches
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
4- github.com/advisories/GHSA-cqcc-mm6x-vmvwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24833ghsaADVISORY
- github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eabghsax_refsource_MISCWEB
- github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.