CVE-2021-25967

Name of the Vulnerable Software and Affected Versions CKAN versions 2.9.0 through 2.9.3

Description The issue allows low privileged application users to store malicious scripts in their profile picture via SVG file upload. These scripts are executed in a victim’s browser when they open the malicious profile picture.

Recommendations For CKAN versions 2.9.0 through 2.9.3, consider disabling the SVG file upload feature for users’ profile pictures until a patch is available. Restrict access to profile pictures to minimize the risk of exploitation. Avoid using the profile picture feature in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.