Headline
CVE-2022-30110: [BUGFIX] Disallow file preview for image/svg+xml files (!103) · Merge requests · Jérôme Jutteau / Jirafeau · GitLab
The file preview functionality in Jirafeau < 4.4.0, which is enabled by default, could be exploited for cross site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone visits the File Preview URL for this file, the JavaScript inside of this image/svg+xml file will be executed in the users’ browser.
Merged requested to merge wouterdedroog/Jirafeau:master into next-release Mar 21, 2022
- Overview 1
- Commits 3
- Changes 6
This PR fixes the issue I’ve privately disclosed in #284.
EDIT: Since this issue is now fixed I feel comfortable in sharing the details. In Jirafeau versions before 4.4.0, it was possible to exploit the File Preview functionality to execute JavaScript for every user that visited a specifically crafted file preview.
This was possible because image/svg+xml were directly shown to the user. image/svg+xml files can contain executable JavaScript, meaning that a malicious actor could upload an SVG file containing JavaScript. When a user would visit this page, the JavaScript embedded in this file would be executed. This could for example lead to account takeovers or redirect users to phishing pages.
As an example, the following SVG file could be uploaded: test.svg. When a user visits the Jirafeau preview link for this image in versions before 4.4.0, an alert box will open with the current URL.
Edited Apr 30, 2022 by Wouter de Droog