Persistent Cross-site Scripting (XSS) vulnerability in PrivateBin
CVE-2022-24833

8.2HIGH

Key Information:

Vendor: Privatebin
Status: Privatebin
Vendor: CVE Published:; 11 April 2022

What is CVE-2022-24833?

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

PrivateBin >= v0.21, < v1.4.0

References

https://github.com/PrivateBin/PrivateBin/security/advisor...

x_refsource_CONFIRM

https://github.com/PrivateBin/PrivateBin/commit/2a4d572c1...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 11, 2022
Vulnerability Reserved
Feb 10, 2022

JSON

Privatebin