Login Sign Up

CVE-2022-24833

8.2 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in PrivateBin where malicious SVG attachments containing JavaScript can execute arbitrary code when users interact with preview images. All PrivateBin instances running versions v0.21 through v1.3.x are affected unless protected by proper Content Security Policies.

💻 Affected Systems

Products:
  • PrivateBin
Versions: v0.21 through v1.3.x
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Also affects ZeroBin (the project's previous name). Vulnerability exists when SVG attachments are enabled and proper CSP headers are not configured.

📦 What is this software?

Privatebin by Privatebin

View all CVEs affecting Privatebin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.

🟠

Likely Case

Attackers create pastes with malicious SVG attachments that execute JavaScript when users preview them, leading to session hijacking or credential theft.

🟢

If Mitigated

With proper Content Security Policy headers, SVG JavaScript execution is blocked, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking preview) but is straightforward once malicious SVG is uploaded.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.4.0

Vendor Advisory: https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw

Restart Required: Yes

Instructions:

1. Backup your PrivateBin instance. 2. Download PrivateBin v1.4.0 or later from GitHub. 3. Replace existing files with new version. 4. Restart web server. 5. Verify CSP headers are properly configured.

🔧 Temporary Workarounds

Implement Strict Content Security Policy

all

Configure web server to send CSP headers that block inline JavaScript and restrict SVG execution

Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:

🧯 If You Can't Patch

  • Disable SVG attachments completely in PrivateBin configuration
  • Implement WAF rules to block SVG files with JavaScript content

🔍 How to Verify

Check if Vulnerable:

Check PrivateBin version in admin interface or by examining source files. Versions below 1.4.0 are vulnerable.

Check Version:

Check lib/Controller.php for version constant or view admin interface

Verify Fix Applied:

After upgrade, verify version shows 1.4.0 or higher. Test by uploading SVG with JavaScript and confirming it doesn't execute.

📡 Detection & Monitoring

Log Indicators:

  • Multiple SVG file uploads from single IP
  • Large SVG files with suspicious content patterns
  • Unusual spike in paste creation

Network Indicators:

  • HTTP requests for SVG files with JavaScript-like content in parameters
  • Unusual outbound connections after SVG preview

SIEM Query:

source="webserver.log" AND (uri="/?pasteid=" OR uri MATCHES "*\.svg") AND (user_agent CONTAINS "script" OR referer CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2022-24833
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-79
Published: April 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24833, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)