A serious cross-site scripting (XSS) vulnerability riddled the open-source paste bin PrivateBin. Following the vulnerability discovery, PrivateBin acted swiftly to fix the bug and release the patch.
PrivateBin XSS Vulnerability
The security researcher Ian Budd from Nethemba s.r.o found a persistent cross-site scripting (XSS) flaw in the PrivateBin platform.
Briefly, PrivateBin is an open-source, zero-knowledge online pastebin that allows users to take and share quick notes with privacy. Given its zero-knowledge implementation, the pasted content does not pass on to the servers. Instead, the service encrypts and decrypts the content at the users’ browser level via AES-256 GCM.
Specifically, the bug typically affected the image preview feature, introduced first with v.0.21. Explaining the vulnerability, a GitHub advisory stated,
The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn’t protected by an appropriate content security policy.
This vulnerability received the identification ID CVE-2022-24833 and a medium-severity rating with a CVSS score of 4.3.
The service elaborated that the bug didn’t affect users using the recommended Content Security Policy (CSP), even the older one. Nor did it affect instances without attachments.
Precisely, PrivateBin stated that the bug potentially had a limited impact. Nonetheless, the service could still detect some real-life vulnerable instances. As stated,
We found two affected instances in our instance lists (wiki, directory) that did not serve a correct Content Security Policy header, had attachments enabled and thus are vulnerable to this attack…
In addition to that, we found that multiple instances do seem to either strip our CSP or have it changed to an unsafe setting and have thus expanded our directory service to verify whether our recommend CSP is used or not.
However, they didn’t detect any active exploitation of the flaw.
Patch Deployed
Following the bug report, PrivateBin started working on a fix, eventually releasing the patch with PrivateBin v.1.4.0. As mentioned in its advisory, the service also tweaked some other features with this update.
This minor release addresses a security issue with the SVG attachment preview, adds support for Google Cloud Storage (GCS) and Oracle databases, adds four new languages to the translations and includes updated libraries.
Thus, users should ensure using the latest PrivateBin version to avoid any potential risks.