CKAN - Stored Cross-Site Scripting (XSS) via SVG File Upload
CVE-2021-25967

5.4MEDIUM

Key Information:

Vendor: Ckan
Status: Ckan
Vendor: CVE Published:; 1 December 2021

Summary

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

Affected Version(s)

ckan 2.9.0

ckan <= 2.9.3

References

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 1, 2021
Vulnerability Reserved
Jan 22, 2021

Credit

WhiteSource Vulnerability Research Team (WVR)