CVE-2024-39899

Name of the Vulnerable Software and Affected Versions PrivateBin versions 1.5 through 1.7.3

Description The issue is related to the YOURLS server-side proxy mechanism introduced in PrivateBin version 1.5. This mechanism allows using the YOURLs URL shortener without exposing the authentication token to the public. However, a vulnerability was discovered that enables shortening of URLs that do not start with the PrivateBin instance URL, as long as they contain it. This can be used for phishing campaigns by routing users to a fake site mimicking the trusted shortener or PrivateBin domain. The estimated number of potentially affected devices worldwide is not provided.

The vulnerability is a kind of authentication bypass due to incomplete filtering, similar to an open redirect, but it does not directly redirect. Instead, it allows hiding a malicious URL. Users are advised to follow general phishing prevention attempts, such as verifying the domain of the site they are using and using a trusted PrivateBin instance.

Recommendations For PrivateBin versions 1.5 through 1.7.3, update to version 1.7.4 to fix the vulnerability. As a temporary workaround, consider disabling the URL shortening feature until a patch is available. Restrict access to the YOURLs proxy endpoint to minimize the risk of exploitation. Check your YOURLs proxy for shortened domains that do not start with your own PrivateBin instance to identify potential exploitation.