CVE-2021-25967

unknown

Published 2021-12-03 · Modified 2023-11-08

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2

—

VIR risk

—

Description

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	ckan	`>=2.9.0,<2.10.0`	`2.10.0`
PyPI	ckan	`>=2.9.0,<2.9.4`	`2.9.4`

References

https://nvd.nist.gov/vuln/detail/CVE-2021-25967
https://github.com/ckan/ckan/pull/6477
https://github.com/ckan/ckan/commit/5a46989c0a4f2c2873ca182c196da83b82babd25
https://github.com/advisories/GHSA-6w9p-88qg-p3g3
https://github.com/ckan/ckan
https://github.com/pypa/advisory-database/tree/main/vulns/ckan/PYSEC-2021-841.yaml
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25967

Verify integrity in audit chain (admin only). AS-IS.