VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2024· Updated Dec 30, 2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Jirafeau

CVE-2024-12326

Description

Jirafeau normally prevents browser preview for SVG files due to the possibility that manipulated SVG files could be exploited for cross site scripting. This was done by storing the MIME type of a file and preventing the browser preview for MIME type image/svg+xml. This issue was first reported in CVE-2022-30110. However, it was still possible to do a browser preview of a SVG file by sending a manipulated MIME type during the upload, where the case of any letter in image/svg+xml had been changed (like image/svg+XML). The check for image/svg+xml has been changed to be case insensitive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The MIME type check for SVG files was not case-insensitive, allowing bypass via manipulated casing."

Attack vector

An attacker could upload a manipulated SVG file by sending a modified MIME type in the HTTP request, such as 'image/svg+XML' instead of the expected 'image/svg+xml'. This bypasses the security check that normally prevents browser previews of SVG files due to Cross-Site Scripting (XSS) risks [ref_id=1]. The vulnerability was previously addressed in CVE-2022-30110 but re-emerged due to the case-sensitive nature of the check.

Affected code

The vulnerability exists in the `jirafeau_is_viewable` function, specifically in the condition that checks the MIME type of uploaded files. The original code used `strpos($mime, 'image/svg+xml') === false` to exclude SVG files from being viewable. The fix replaces this with `stripos($mime, 'image/svg+xml') === false` to perform a case-insensitive comparison [ref_id=1].

What the fix does

The patch modifies the function `jirafeau_is_viewable` to use `stripos` instead of `strpos` when checking the MIME type against 'image/svg+xml' [ref_id=1]. This change makes the comparison case-insensitive, ensuring that any variation in casing of the SVG MIME type will be correctly identified and blocked, thus preventing the preview of potentially malicious SVG files.

Preconditions

  • inputThe user must be able to upload files to the Jirafeau instance.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.