CVE-2021-25967
pypi/ckan
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CKAN is affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture.
All versions starting from 2.9.0 up to 2.9.3
Upgrade to version 2.9.4 or above.
2021-12-03
source |