CVE-2024-30248

Name of the Vulnerable Software and Affected Versions Piccolo Admin versions prior to 1.3.2

Description The issue concerns the Piccolo Admin interface, which allows media file uploads, including SVG files by default. An attacker can upload a malicious SVG file, which, when loaded, can provide arbitrary access to the admin page. This access enables the attacker to perform various actions, such as gaining access to all data stored within the admin page, creating, modifying, or deleting table records. The vulnerability exploits the context of an authenticated admin session, allowing the attacker to make actions that would normally be restricted.

Recommendations For versions prior to 1.3.2, update to version 1.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the upload of SVG files or restricting access to the admin panel to minimize the risk of exploitation. Additionally, ensuring proper security headers are set, such as XSS protection and a content security policy, can help mitigate the vulnerability. Modifying the Piccolo template generation to include these security headers by default or forcing the browser to download attachments instead of rendering them inline can also be considered.