QwikSec

Security Database

CVE

CWE

Training

CVE-2020-5223

Published: Jan 23, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3.2 & v1.2.2. Admins are urged to upgrade to these versions to protect the affected users.

Vendor	Product	Versions
PrivateBin	PrivateBin	affected `>= 1.2.0, < 1.2.2` affected `>= 1.3.0, < 1.3.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-8j72-p2wm-6738

x_refsource_CONFIRM

https://privatebin.info/news/v1.3.2-v1.2.2-release.html

x_refsource_MISC

https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6

x_refsource_MISC

https://github.com/PrivateBin/PrivateBin/issues/554

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.