CVE-2024-12326
📋 TL;DR
This vulnerability in Jirafeau allows attackers to bypass SVG file preview restrictions by uploading files with case-manipulated MIME types (e.g., image/svg+XML instead of image/svg+xml). This enables cross-site scripting (XSS) attacks when users preview malicious SVG files. All Jirafeau instances with the vulnerable code are affected.
💻 Affected Systems
- Jirafeau
📦 What is this software?
Jirafeau by Jirafeau
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.
Likely Case
Attackers upload malicious SVG files with manipulated MIME types, then trick users into previewing them, leading to XSS attacks against those users.
If Mitigated
With proper input validation and content security policies, the impact is limited to potential data leakage from the user's current session.
🎯 Exploit Status
Exploitation requires file upload capability and user interaction (previewing the file). The technique is simple and similar to CVE-2022-30110.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6cfca8753d54e2025c6020b2af32529e25f58c66
Vendor Advisory: https://gitlab.com/jirafeau/Jirafeau/-/commit/6cfca8753d54e2025c6020b2af32529e25f58c66
Restart Required: No
Instructions:
1. Update Jirafeau to include commit 6cfca8753d54e2025c6020b2af32529e25f58c66. 2. Replace the case-sensitive MIME type check with case-insensitive comparison for image/svg+xml. 3. No service restart needed for PHP applications.
🔧 Temporary Workarounds
Disable SVG file uploads
allBlock SVG file uploads at the application or web server level
# In Jirafeau configuration, restrict allowed file types
# In .htaccess for Apache: <FilesMatch "\.svg$">
Deny from all
</FilesMatch>
# In nginx config: location ~*\.svg$ {
deny all;
}
Disable file preview functionality
allTurn off browser preview for uploaded files
# Modify Jirafeau configuration to disable previews
# Set appropriate configuration option if available
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent XSS execution
- Use web application firewall (WAF) rules to block SVG files with manipulated MIME types
🔍 How to Verify
Check if Vulnerable:
Check if your Jirafeau version includes commit 6cfca8753d54e2025c6020b2af32529e25f58c66. Test by uploading an SVG file with case-manipulated MIME type (e.g., image/svg+XML) and attempting to preview it.Check Version:
Check git log or version file in Jirafeau installation directoryVerify Fix Applied:
After update, attempt to upload SVG file with case-manipulated MIME type and verify preview is blocked. Check that MIME type comparison is now case-insensitive.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with SVG extensions but non-standard MIME types
- Multiple failed preview attempts for SVG files
- User reports of unexpected browser behavior after file preview
Network Indicators:
- HTTP requests with manipulated Content-Type headers for SVG uploads
- Increased uploads of SVG files
SIEM Query:
source="web_server" (uri_path="*upload*" AND (file_extension="svg" OR content_type="*svg*")) | stats count by src_ip, user_agent