CVE-2020-5223

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.2.0 through 1.2.1 PrivateBin versions 1.3.0 through 1.3.1

Description A persistent Cross-site scripting (XSS) vulnerability is possible in PrivateBin due to unescaped HTML in user-provided attachment file names. This can lead to code execution when a visitor clicks the "Clone" button on a paste with a malicious filename. The impact is mitigated by the fact that the vulnerability is paste-specific and the deployed Content Security Policy (CSP) does not allow inline JS. However, there may be tricks to bypass the CSP, and the simple injection of HTML tags can still occur.

Recommendations For PrivateBin versions 1.2.0 through 1.2.1, upgrade to version 1.2.2 to protect against the vulnerability. For PrivateBin versions 1.3.0 through 1.3.1, upgrade to version 1.3.2 to protect against the vulnerability. As a temporary workaround, consider disabling the fileupload setting to prevent pastes from getting displayed that may contain this vulnerability, but note that this will break all existing pastes with uploads.