Cross Site Scripting Bug in PrivateBin
Share this:
A XSS vulnerability in PrivateBin, the open source secure pastebin, has been patched.
PrivateBin, an online tool used to store information and is encrypted/decrypted in the browser using AES-256 bits meaning that the server has zero knowledge of pasted data. The flaw allows malicious JavaScript code to be embedded in an SVG image file, which can then be attached to pastes.
If a user opens a paste with a specifically crafted SVG attachment and interacts with the preview image while the instance isn’t protected by an appropriate content security policy, an attacker can also execute code.
The tricky part is that the user would have to open the image preview in a new tab details of how this can be realistically achieved has been detailed by PrivateBin in their report.
Upon successful execution, it could allow access to unprotected cookies, local storage data, session storage data, for other applications running on the same domain, where said cookies are present on the victim’s browser. This may include authentication tokens.
There were no reports, though, of the vulnerability being actively exploited.
PrivateBin says it has mitigated the vulnerability in the preview, and is encouraging server administrators to either upgrade to a version with the fix or to ensure the CSP of their instance is set correctly. It has also expanded its directory listing tool to include a checking mechanism.
