CVE-2021-25967

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/ckan

Identifiers

CVE-2021-25967

Package Slug

pypi/ckan

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

CKAN is affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture.

Affected Versions

All versions starting from 2.9.0 up to 2.9.3

Solution

Upgrade to version 2.9.4 or above.

Last Modified

2021-12-03

source