CVE-2020-5223 (GCVE-0-2020-5223)
Vulnerability from cvelistv5 – Published: 2020-01-23 01:35 – Updated: 2024-08-04 08:22
VLAI?
Title
Persistent XSS vulnerability in filename of attached file in PrivateBin
Summary
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PrivateBin | PrivateBin |
Affected:
>= 1.2.0, < 1.2.2
Affected: >= 1.3.0, < 1.3.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:08.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PrivateBin",
"vendor": "PrivateBin",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.2"
},
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-23T01:35:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
}
],
"source": {
"advisory": "GHSA-8j72-p2wm-6738",
"discovery": "UNKNOWN"
},
"title": "Persistent XSS vulnerability in filename of attached file in PrivateBin",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5223",
"STATE": "PUBLIC",
"TITLE": "Persistent XSS vulnerability in filename of attached file in PrivateBin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrivateBin",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.2.0, \u003c 1.2.2"
},
{
"version_value": "\u003e= 1.3.0, \u003c 1.3.2"
}
]
}
}
]
},
"vendor_name": "PrivateBin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738",
"refsource": "CONFIRM",
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"name": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html",
"refsource": "MISC",
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6",
"refsource": "MISC",
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/issues/554",
"refsource": "MISC",
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
}
]
},
"source": {
"advisory": "GHSA-8j72-p2wm-6738",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5223",
"datePublished": "2020-01-23T01:35:14",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:08.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-5223\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-01-23T02:15:13.423\",\"lastModified\":\"2024-11-21T05:33:42.673\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.\"},{\"lang\":\"es\",\"value\":\"PrivateBin versiones 1.2.0 anteriores a 1.2.2 y 1.3.0 anteriores a 1.3.2, es posible un ataque de tipo XSS persistente. Bajo determinadas condiciones, un nombre de archivo adjunto proporcionado por parte del usuario puede inyectar HTML conllevando a una vulnerabilidad de tipo Cross-site scripting (XSS) persistente. La vulnerabilidad ha sido corregida en PrivateBin versiones v1.3.2 y v1.2.2. Se insta a los administradores a actualizar a estas versiones para proteger a los usuarios afectados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:S/C:N/I:P/A:N\",\"baseScore\":2.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2\",\"versionEndExcluding\":\"1.2.2\",\"matchCriteriaId\":\"F1889EB9-8FB8-467F-B66C-4649A5B9373E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.3\",\"versionEndExcluding\":\"1.3.2\",\"matchCriteriaId\":\"8D8FFA77-8158-4989-AE2C-1AAD126F3196\"}]}]}],\"references\":[{\"url\":\"https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/issues/554\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://privatebin.info/news/v1.3.2-v1.2.2-release.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/issues/554\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://privatebin.info/news/v1.3.2-v1.2.2-release.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
}
}
FKIE_CVE-2020-5223
Vulnerability from fkie_nvd - Published: 2020-01-23 02:15 - Updated: 2024-11-21 05:33
Severity ?
6.1 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| privatebin | privatebin | * | |
| privatebin | privatebin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F1889EB9-8FB8-467F-B66C-4649A5B9373E",
"versionEndExcluding": "1.2.2",
"versionStartIncluding": "1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D8FFA77-8158-4989-AE2C-1AAD126F3196",
"versionEndExcluding": "1.3.2",
"versionStartIncluding": "1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."
},
{
"lang": "es",
"value": "PrivateBin versiones 1.2.0 anteriores a 1.2.2 y 1.3.0 anteriores a 1.3.2, es posible un ataque de tipo XSS persistente. Bajo determinadas condiciones, un nombre de archivo adjunto proporcionado por parte del usuario puede inyectar HTML conllevando a una vulnerabilidad de tipo Cross-site scripting (XSS) persistente. La vulnerabilidad ha sido corregida en PrivateBin versiones v1.3.2 y v1.2.2. Se insta a los administradores a actualizar a estas versiones para proteger a los usuarios afectados."
}
],
"id": "CVE-2020-5223",
"lastModified": "2024-11-21T05:33:42.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-23T02:15:13.423",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2020-5223
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-5223",
"description": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.",
"id": "GSD-2020-5223"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-5223"
],
"details": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.",
"id": "GSD-2020-5223",
"modified": "2023-12-13T01:22:03.251323Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5223",
"STATE": "PUBLIC",
"TITLE": "Persistent XSS vulnerability in filename of attached file in PrivateBin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PrivateBin",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.2.0, \u003c 1.2.2"
},
{
"version_value": "\u003e= 1.3.0, \u003c 1.3.2"
}
]
}
}
]
},
"vendor_name": "PrivateBin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738",
"refsource": "CONFIRM",
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"name": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html",
"refsource": "MISC",
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6",
"refsource": "MISC",
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/issues/554",
"refsource": "MISC",
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
}
]
},
"source": {
"advisory": "GHSA-8j72-p2wm-6738",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.2,\u003c1.2.2||\u003e=1.3,\u003c1.3.2",
"affected_versions": "All versions starting from 1.2 before 1.2.2, all versions starting from 1.3 before 1.3.2",
"cvss_v2": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2020-01-29",
"description": "In PrivateBin, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability.",
"fixed_versions": [
"1.2.2",
"1.3.2"
],
"identifier": "CVE-2020-5223",
"identifiers": [
"CVE-2020-5223",
"GHSA-8j72-p2wm-6738"
],
"not_impacted": "All versions before 1.2, all versions starting from 1.2.2 before 1.3, all versions starting from 1.3.2",
"package_slug": "packagist/privatebin/privatebin",
"pubdate": "2020-01-23",
"solution": "Upgrade to versions 1.2.2, 1.3.2 or above.",
"title": "Cross-site Scripting",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5223",
"https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
],
"uuid": "ae933af6-94a2-444c-a413-320d40c63b93"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.2.2",
"versionStartIncluding": "1.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.3.2",
"versionStartIncluding": "1.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5223"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 \u0026 v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"name": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/issues/554",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
},
{
"name": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2020-01-29T16:20Z",
"publishedDate": "2020-01-23T02:15Z"
}
}
}
GHSA-8J72-P2WM-6738
Vulnerability from github – Published: 2020-01-14 20:19 – Updated: 2021-01-14 17:43
VLAI?
Summary
Persistent XSS vulnerability in filename of attached file in PrivateBin
Details
On 24th of December 2019 one of the property based unit tests reported a failure. Upon investigation, @elrido discovered that the failure was due to unescaped HTML, which allowed the user provided attachment file name to inject HTML under certain conditions leading to a persistent Cross-site scripting (XSS) vulnerability. After committing an initial fix to the master branch, the issue was reported on 25th of December. Vulnerability write-up done by @rugk and @elrido.
The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.
Affected versions
Any PrivateBin version since 1.2.
Conditions
- The configuration setting
fileuploadhas to be enabled, as 1.3 displays an error when trying to open a paste with attachment. - The CSP header rules don't get applied. For example:
- They are unsupported or disabled in the visitors browser.
- They are filtered out by a some proxy server at the server or client side.
- The header is disabled/commented in the PHP-logic.
- The rules have been relaxed in the
cspheaderconfiguration setting. - A paste with a malicious filename is created.
- A visitor of that paste clicks on the "Clone" button.
Proof of concept
The following method is just one possibility to exploit this issue and is provided as a proof of concept with steps to reproduce the issue. To avoid having to create an actual file with a rogue filename, one could use the Python CLI client for PrivateBin and edit line 56 in format.py as follows:
- self._attachment_name = path_leaf(path)
+ self._attachment_name = '<script>alert("☹️");//<a'
The paste then can be created on a vulnerable instance:
$ python pbincli/cli.py send -t " " -f /dev/null -s https://privatebin.net/
Visiting the created paste on a vulnerable instance, with fileupload enabled and the CSP header weakened or disabled, and clicking the clone button will insert the HTML unescaped. In the above example, a pop-up would appear, when the script is executed.
Impact
On a vulnerable site pastes with malicious filenames can be created and users visiting these could inadvertently trigger the code execution when they click the "Clone" button. They could be instigated to do so via social engineering, like a paste text suggesting to "clone and share" the paste in question.
The attached file itself doesn't have to be empty and could be an image or document that would still be displayed inline as usual. The execution of the script triggered by clicking on the "Clone" button may occur silently in the background without showing any noticeable signs in browser. It may for instance be used to track visitors, start drive-by-downloads or similar. While we focus on script injection here, as it is the easiest exploit vector, it has to be said that anything else can be injected like CSS, images, videos, although the default CSP will block inline CSS and images, e.g.
On first visit, the filename isn't visible and is properly escaped when inserted into the download attribute. Only when clicking the "Download attachment" link would open a file save dialog with an odd name pre-filled, although browsers will convert illegal characters into valid ones, so it may not be identical to the one provided. Only when the "Clone" button has been clicked and after the exploit has already been triggered, the filename gets displayed. Note that an attacker can of course prevent this indicator of compromise to be shown and e.g. change the displayed text or obfuscate the filename by starting it with something harmless, like image.png, before opening the HTML tag.
Impact restrictions
The impact is mitigated by the fact that the vulnerability is, as far as our investigation concluded, paste-specific, i.e. opening a vulnerable paste can only compromise this one paste and no other pastes.
Furthermore, as stated before, the impact is mitigated by the fact that we deploy a strong CSP that, by default, does not allow inline JS or other potentially easy methods that would allow an easy exploitation of the vulnerability.
That said, we have to make users aware, that there may always be tricks to bypass such a CSP and the simple injection of HTML tags, e.g. destroying, faking or somehow phishing an HTML page does always remain a possibility.
As such, we treat this as a security vulnerability with medium severity. It is critical on it's own, but we believe that the deployed security mechanisms should prevent an exploit in practice in most cases.
Real-life impact
We checked all instances listed in the PrivateBin directory in the Wiki and didn't find any 1.1, 1.2 or 1.3 instances that had the CSP headers disabled or in a state we know to be vulnerable. We used the following script, that may be adapted to check the CSP headers of any single instance:
for URL in $(
curl -s https://raw.githubusercontent.com/wiki/PrivateBin/PrivateBin/PrivateBin-Directory.md | grep -Po '^http.*?(?= )'
)
do
echo -n "$URL: "
curl -sLI $URL | grep -Poi 'content-security-policy.*script-src.?\K.*?(?=;)' || echo 'No CSP detected!'
done
Some of the above sites do offer file uploads. On these instances, it is still possible that a visitor could have CSP support disabled in their browser, i.e. via a transparent proxy at their internet uplink or due to a browser plugin or some other locally installed, misguided security solution.
Important: This scan is only a cursory check and must not be taken as a security analysis of any means! You are always responsible for the security of your own instance. Please do check it manually!
Mitigation
As server administrators can't detect if a paste contains file attachments at all (apart from their size) in version 1.3 and due to the encrypted filename in older versions, as well as the risk for clients that don't apply the CSP settings, we urge them to upgrade to versions 1.3.2 or 1.2.2.
If you use v1.3, you could disable the fileupload setting to prevent pastes from getting displayed that may contain this vulnerability. Note that this will break all existing pastes with uploads, however, so we do not recommend this, but advise you to upgrade to a fixed version instead.
Further information
We want to make potential third-party client authors aware of this vulnerability and urge them to double-check their implementations. If they develop a client that displays untrusted foreign data from a paste in a HTML site, please make sure to escape it to prevent XSS attacks. Such attacks can only be prevented when the paste is displayed, a mitigation when a paste is created is pointless, as a different client can be used during creation.
We do also acknowledge and want to highlight the benefit of the CSP, which has first been introduced in PrivateBin v1.0.
However, we want to make you again aware that a whitelist-based CSP as we use, may sometimes still be bypassed, e.g. if you host a copy of the Angular library on the same domain as your PrivateBin instance. We are aware of that and do consider upgrading to a stronger CSP in the future.
Issue discovery
While it is satisfying that our hard work on introducing unit tests has payed off in the discovery and mitigation of this vulnerability, it does also show a limitation of unit testing. A third party doing a code review would have certainly focused on how the project handles user provided input and may have discovered this much quicker.
The discovery wasn't due to the unit test checking for HTML input to get properly escaped, on the contrary, the test assumed input would not be changed. So other instances of HTML tags generated would have happily passed the test. Only when the test generated a fragment of a link (<a) it failed, because the DOM silently removed it when it inserted the string, as links within links aren't allowed. While the test was written to throw arbitrary strings at the AttachmentViewer.moveAttachmentTo() method, the test would only check that these got inserted into the DOM unchanged, oblivious of their potential significance when interpreted as HTML.
The test had been introduced on December 3rd, 2017, 570 commits ago. Every commit on master and in PRs since introduction in that commit triggers these tests to run for every supported PHP version. Additional test cycles get run on developers local environments during working on commits. Hence the test suite must have run a few thousand times, testing 100 random strings each time. And only after more then 2 years a string containing <a got generated, triggered the error condition and 22 shrinks later the smallest failing test case was presented as:
Failed after 65 tests and 22 shrinks. rngState: 8b8f0d4ec2a67139b5; Counterexample: "image/png"; ""; "\u0000"; "<a"; "";
Discussion about a potential problem with that code, did spark last September, when the vulnerable code part was changed to the one before before the current fix, but was incorrectly judged as not being a problem, because all of our translation strings are hardcoded. The fact that we do actually add some untrusted user-provided content, wasn't considered at that point.
It should also be mentioned, that the coverage report released for version 1.3.1 did highlight the line that caused this vulnerability as not being covered during testing:
So, in conclusion, it is great to have all of these tools at our disposal, but the code quality would benefit a lot more from having more eyeballs and brains on it.
Timeline
- 2019-12-24 – Property based unit test fails in a commit pushed to a PR.
- 2019-12-25 – Issue investigated, preliminary patch and issue description published.
- 2019-12-30 – Further investigations, proof-of-concept exploit demonstrated on a vulnerable test instance.
- 2020-01-03 – Discussed broader mitigation of user provided content injections, reviewed other possible cases.
- 2020-01-04 – Published a second patch based on review, escapes HTML in translation.
- 2020-01-05 – Started writing vulnerability report.
- 2020-01-07 – Backported fix for 1.2.1.
- 2020-01-11 – Release published.
- 2020-01-11 – Vulnerability details published.
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "privatebin/privatebin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "privatebin/privatebin"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5223"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-14T19:41:14Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "On 24th of December 2019 one of the [property based unit tests](https://github.com/PrivateBin/PrivateBin/blob/master/tst/README.md#property-based-unit-testing) reported a [failure](https://travis-ci.org/PrivateBin/PrivateBin/jobs/629180605#L782). Upon investigation, [@elrido](https://github.com/elrido) discovered that the failure was due to unescaped HTML, which allowed the user provided attachment file name to inject HTML under certain conditions leading to a persistent [Cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) vulnerability. After committing an [initial fix](https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6) to the master branch, the [issue was reported](https://github.com/PrivateBin/PrivateBin/issues/554) on 25th of December. Vulnerability write-up done by [@rugk](https://github.com/rugk) and [@elrido](https://github.com/elrido). \nThe vulnerability has been fixed in [PrivateBin v1.3.2 \u0026 v1.2.2](https://privatebin.info/news/v1.3.2-v1.2.2-release.html). Admins are urged to upgrade to these versions to protect the affected users.\n\n## Affected versions\n\nAny PrivateBin version since 1.2.\n\n## Conditions\n\n* The configuration setting `fileupload` has to be enabled, as 1.3 displays an error when trying to open a paste with attachment.\n* The CSP header rules don\u0027t get applied. For example:\n * They are unsupported or disabled in the visitors browser.\n * They are filtered out by a some proxy server at the server or client side.\n * The header is disabled/commented in the PHP-logic.\n * The rules have been relaxed in the `cspheader` configuration setting.\n* A paste with a malicious filename is created.\n* A visitor of that paste clicks on the \"Clone\" button.\n\n## Proof of concept\n\nThe following method is just one possibility to exploit this issue and is provided as a proof of concept with steps to reproduce the issue. To avoid having to create an actual file with a rogue filename, one could use the [Python CLI client for PrivateBin](https://github.com/r4sas/PBinCLI/) and [edit line 56 in `format.py`](https://github.com/r4sas/PBinCLI/blob/682b47fbd3e24a8a53c3b484ba896a5dbc85cda2/pbincli/format.py#L56) as follows:\n\n```diff\n- self._attachment_name = path_leaf(path)\n+ self._attachment_name = \u0027\u003cscript\u003ealert(\"\u2639\ufe0f\");//\u003ca\u0027\n```\n\nThe paste then can be created on a vulnerable instance:\n\n```shell\n$ python pbincli/cli.py send -t \" \" -f /dev/null -s https://privatebin.net/\n```\n\nVisiting the created paste on a vulnerable instance, with `fileupload` enabled and the CSP header weakened or disabled, and clicking the clone button will insert the HTML unescaped. In the above example, a pop-up would appear, when the script is executed.\n\n## Impact\n\nOn a vulnerable site pastes with malicious filenames can be created and users visiting these could inadvertently trigger the code execution when they click the \"Clone\" button. They could be instigated to do so via social engineering, like a paste text suggesting to \"clone and share\" the paste in question.\n\nThe attached file itself doesn\u0027t have to be empty and could be an image or document that would still be displayed inline as usual. The execution of the script triggered by clicking on the \"Clone\" button may occur silently in the background without showing any noticeable signs in browser. It may for instance be used to track visitors, start drive-by-downloads or similar. While we focus on script injection here, as it is the easiest exploit vector, it has to be said that anything else can be injected like CSS, images, videos, although the default CSP will block inline CSS and images, e.g.\n\nOn first visit, the filename isn\u0027t visible and is properly escaped when inserted into the download attribute. Only when clicking the \"Download attachment\" link would open a file save dialog with an odd name pre-filled, although browsers will convert illegal characters into valid ones, so it may not be identical to the one provided. Only when the \"Clone\" button has been clicked and after the exploit has already been triggered, the filename gets displayed. Note that an attacker can of course prevent this indicator of compromise to be shown and e.g. change the displayed text or obfuscate the filename by starting it with something harmless, like `image.png`, before opening the HTML tag.\n\n### Impact restrictions\n\nThe impact is mitigated by the fact that the vulnerability is, as far as our investigation concluded, paste-specific, i.e. opening a vulnerable paste can only compromise this one paste and no other pastes.\n\nFurthermore, as stated before, the impact is mitigated by the fact that we deploy a strong [CSP](https://content-security-policy.com/) that, by default, does not allow inline JS or other potentially easy methods that would allow an easy exploitation of the vulnerability. \nThat said, we have to make users aware, that there may always be tricks to bypass such a CSP and the simple injection of HTML tags, e.g. destroying, faking or somehow phishing an HTML page does always remain a possibility.\n\nAs such, we treat this as a security vulnerability with medium severity. It is critical on it\u0027s own, but we believe that the deployed security mechanisms should prevent an exploit in practice in most cases.\n\n## Real-life impact\n\nWe checked all instances listed in the [PrivateBin directory in the Wiki](https://github.com/PrivateBin/PrivateBin/wiki/PrivateBin-Directory) and didn\u0027t find any 1.1, 1.2 or 1.3 instances that had the CSP headers disabled or in a state we know to be vulnerable. We used the following script, that may be adapted to check the CSP headers of any single instance:\n\n```shell\nfor URL in $(\n curl -s https://raw.githubusercontent.com/wiki/PrivateBin/PrivateBin/PrivateBin-Directory.md | grep -Po \u0027^http.*?(?= )\u0027\n)\ndo\n echo -n \"$URL: \"\n curl -sLI $URL | grep -Poi \u0027content-security-policy.*script-src.?\\K.*?(?=;)\u0027 || echo \u0027No CSP detected!\u0027\ndone\n```\n\nSome of the above sites do offer file uploads. On these instances, it is still possible that a visitor could have CSP support disabled in their browser, i.e. via a transparent proxy at their internet uplink or due to a browser plugin or some other locally installed, misguided security solution.\n\n**Important:** This scan is only a cursory check and _must not_ be taken as a security analysis of any means! You are always responsible for the security of your own instance. Please do check it manually!\n\n## Mitigation\n\nAs server administrators can\u0027t detect if a paste contains file attachments at all (apart from their size) in version 1.3 and due to the encrypted filename in older versions, as well as the risk for clients that don\u0027t apply the CSP settings, we urge them to upgrade to versions 1.3.2 or 1.2.2.\n\nIf you use v1.3, you could disable the `fileupload` setting to prevent pastes from getting displayed that may contain this vulnerability. Note that this will break all existing pastes with uploads, however, so we do _not_ recommend this, but advise you to upgrade to a fixed version instead.\n\n## Further information\n\nWe want to make potential third-party client authors aware of this vulnerability and urge them to double-check their implementations. If they develop a client that displays untrusted foreign data from a paste in a HTML site, please make sure to escape it to prevent XSS attacks. Such attacks can only be prevented when the paste is displayed, a mitigation when a paste is created is pointless, as a different client can be used during creation.\n\nWe do also acknowledge and want to highlight the benefit of the CSP, which has first been [introduced in PrivateBin v1.0](https://github.com/PrivateBin/PrivateBin/issues/10).\n\nHowever, we want to make you again aware that a whitelist-based CSP as we use, may [sometimes still be bypassed](https://csp.withgoogle.com/docs/faq.html#problems-with-whitelists), e.g. if you host a copy of the Angular library on the same domain as your PrivateBin instance.\nWe are aware of that and [do consider](https://github.com/PrivateBin/PrivateBin/issues/108) upgrading to a stronger CSP in the future.\n\n### Issue discovery\n\nWhile it is satisfying that our hard work on introducing unit tests has payed off in the discovery and mitigation of this vulnerability, it does also show a limitation of unit testing. A third party doing a code review would have certainly focused on how the project handles user provided input and may have discovered this much quicker.\n\nThe discovery wasn\u0027t due to the unit test checking for HTML input to get properly escaped, on the contrary, the test assumed input would not be changed. So other instances of HTML tags generated would have happily passed the test. Only when the test generated a fragment of a link (`\u003ca`) it failed, because the DOM silently removed it when it inserted the string, as links within links aren\u0027t allowed. While the test was written to throw arbitrary strings at the `AttachmentViewer.moveAttachmentTo()` method, the test would only check that these got inserted into the DOM unchanged, oblivious of their potential significance when interpreted as HTML.\n\nThe [test had been introduced](https://github.com/PrivateBin/PrivateBin/commit/39860dfdc434c00d18342b4fb3bc6f5d0960030d) on December 3rd, 2017, 570 commits ago. Every commit on master and in PRs since introduction in that commit triggers these tests to run for every supported PHP version. Additional test cycles get run on developers local environments during working on commits. Hence the test suite must have run a few thousand times, testing 100 random strings each time. And only after more then 2 years a string containing `\u003ca` got generated, triggered the error condition and 22 shrinks later the smallest failing test case was presented as:\n\n```\nFailed after 65 tests and 22 shrinks. rngState: 8b8f0d4ec2a67139b5; Counterexample: \"image/png\"; \"\"; \"\\u0000\"; \"\u003ca\"; \"\";\n```\n\nDiscussion about a potential problem with that code, [did spark last September](https://github.com/PrivateBin/PrivateBin/pull/508#commitcomment-34943221), when the vulnerable code part was changed to the one before before the current fix, but was [incorrectly judged](https://github.com/PrivateBin/PrivateBin/pull/508#commitcomment-34944396) as not being a problem, because all of our translation strings are hardcoded. The fact that we do actually add some untrusted user-provided content, wasn\u0027t considered at that point.\n\nIt should also be mentioned, that the coverage report released for version 1.3.1 did highlight the line that caused this vulnerability as not being covered during testing:\n\n\n\nSo, in conclusion, it is great to have all of these tools at our disposal, but the code quality would benefit a lot more from having more eyeballs and brains on it.\n\n## Timeline\n\n* 2019-12-24 \u2013 Property based unit test fails in a commit pushed to a PR.\n* 2019-12-25 \u2013 Issue investigated, preliminary patch and issue description published.\n* 2019-12-30 \u2013 Further investigations, proof-of-concept exploit demonstrated on a vulnerable test instance.\n* 2020-01-03 \u2013 Discussed broader mitigation of user provided content injections, reviewed other possible cases.\n* 2020-01-04 \u2013 Published a second patch based on review, escapes HTML in translation.\n* 2020-01-05 \u2013 Started writing vulnerability report.\n* 2020-01-07 \u2013 Backported fix for 1.2.1.\n* 2020-01-11 \u2013 [Release published](https://github.com/PrivateBin/PrivateBin/releases/tag/1.3.2).\n* 2020-01-11 \u2013 Vulnerability details published.",
"id": "GHSA-8j72-p2wm-6738",
"modified": "2021-01-14T17:43:40Z",
"published": "2020-01-14T20:19:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5223"
},
{
"type": "WEB",
"url": "https://github.com/PrivateBin/PrivateBin/issues/554"
},
{
"type": "WEB",
"url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"
},
{
"type": "WEB",
"url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Persistent XSS vulnerability in filename of attached file in PrivateBin"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…