CVE-2020-5223 - OpenCVE

In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Privatebin	Privatebin

Configuration 1 [-]

OR	cpe:2.3:a:privatebin:privatebin::::::::
	cpe:2.3:a:privatebin:privatebin::::::::

No data.

References

Link	Providers
https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6
https://github.com/PrivateBin/PrivateBin/issues/554
https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738
https://privatebin.info/news/v1.3.2-v1.2.2-release.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-01-23T01:35:14

Updated: 2024-08-04T08:22:08.955Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5223

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-01-23T02:15:13.423

Modified: 2020-01-29T16:20:54.803

Link: CVE-2020-5223

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "PrivateBin", "vendor": "PrivateBin", "versions": [{"status": "affected", "version": ">= 1.2.0, < 1.2.2"}, {"status": "affected", "version": ">= 1.3.0, < 1.3.2"}]}], "descriptions": [{"lang": "en", "value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-23T01:35:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"}, {"tags": ["x_refsource_MISC"], "url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/PrivateBin/PrivateBin/issues/554"}], "source": {"advisory": "GHSA-8j72-p2wm-6738", "discovery": "UNKNOWN"}, "title": "Persistent XSS vulnerability in filename of attached file in PrivateBin", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5223", "STATE": "PUBLIC", "TITLE": "Persistent XSS vulnerability in filename of attached file in PrivateBin"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PrivateBin", "version": {"version_data": [{"version_value": ">= 1.2.0, < 1.2.2"}, {"version_value": ">= 1.3.0, < 1.3.2"}]}}]}, "vendor_name": "PrivateBin"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738", "refsource": "CONFIRM", "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"}, {"name": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html", "refsource": "MISC", "url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"}, {"name": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6", "refsource": "MISC", "url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"}, {"name": "https://github.com/PrivateBin/PrivateBin/issues/554", "refsource": "MISC", "url": "https://github.com/PrivateBin/PrivateBin/issues/554"}]}, "source": {"advisory": "GHSA-8j72-p2wm-6738", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:08.955Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PrivateBin/PrivateBin/issues/554"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5223", "datePublished": "2020-01-23T01:35:14", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:08.955Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1889EB9-8FB8-467F-B66C-4649A5B9373E", "versionEndExcluding": "1.2.2", "versionStartIncluding": "1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:privatebin:privatebin:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D8FFA77-8158-4989-AE2C-1AAD126F3196", "versionEndExcluding": "1.3.2", "versionStartIncluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users."}, {"lang": "es", "value": "PrivateBin versiones 1.2.0 anteriores a 1.2.2 y 1.3.0 anteriores a 1.3.2, es posible un ataque de tipo XSS persistente. Bajo determinadas condiciones, un nombre de archivo adjunto proporcionado por parte del usuario puede inyectar HTML conllevando a una vulnerabilidad de tipo Cross-site scripting (XSS) persistente. La vulnerabilidad ha sido corregida en PrivateBin versiones v1.3.2 y v1.2.2. Se insta a los administradores a actualizar a estas versiones para proteger a los usuarios afectados."}], "id": "CVE-2020-5223", "lastModified": "2020-01-29T16:20:54.803", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-01-23T02:15:13.423", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/PrivateBin/PrivateBin/issues/554"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://privatebin.info/news/v1.3.2-v1.2.2-release.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}