CVE-2022-24833

Public Exploit

Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin

Description

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.

References

Link	Tags
https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw	third party advisory exploit
https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1e9eb9b608d32b0cc0cb3b6c3b684eab	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-24833?: CVE-2022-24833 has been scored as a high severity vulnerability.
How to fix CVE-2022-24833?: To fix CVE-2022-24833, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-24833 being actively exploited in the wild?: It is possible that CVE-2022-24833 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-24833?: CVE-2022-24833 affects PrivateBin PrivateBin.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions