A XSS vulnerability in PrivateBin, the open source secure pastebin, has been patched.
If a user opens a paste with a specifically crafted SVG attachment and interacts with the preview image while the instance isn’t protected by an appropriate content security policy, an attacker can also execute code.
The tricky part is that the user would have to open the image preview in a new tab details of how this can be realistically achieved has been detailed by PrivateBin in their report.
Upon successful execution, it could allow access to unprotected cookies, local storage data, session storage data, for other applications running on the same domain, where said cookies are present on the victim’s browser. This may include authentication tokens.
There were no reports, though, of the vulnerability being actively exploited.
PrivateBin says it has mitigated the vulnerability in the preview, and is encouraging server administrators to either upgrade to a version with the fix or to ensure the CSP of their instance is set correctly. It has also expanded its directory listing tool to include a checking mechanism.