Vulnerability Description
PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Privatebin | Privatebin | >= 0.21, < 1.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6cPatchThird Party Advisory
- https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvwExploitThird Party Advisory
- https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6cPatchThird Party Advisory
- https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvwExploitThird Party Advisory
FAQ
What is CVE-2022-24833?
CVE-2022-24833 is a vulnerability with a CVSS score of 8.2 (HIGH). PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnera...
How severe is CVE-2022-24833?
CVE-2022-24833 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24833?
Check the references section above for vendor advisories and patch information. Affected products include: Privatebin Privatebin.