PrivateBin Persistent HTML Injection Vulnerability Allowing Cross-Site Scripting

A persistent HTML injection vulnerability has been identified in PrivateBin versions 1.7.7 through 2.0.1. This vulnerability allows attackers to inject arbitrary HTML into the filename of attached files, which is then rendered without proper sanitization. The issue arises when attachments are enabled, as the unsanitized filename is displayed near the file size hint. Exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, website defacement, open redirects, and related phishing attacks.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected HTML, including script tags, is executed in the context of the user.

Reproduction

To reproduce this vulnerability, upload a file to a PrivateBin instance with attachments enabled. Before the paste is encrypted, intercept the 'attachment_name' field and replace it with a payload containing unescaped HTML, such as a meta refresh tag. Once the paste is created, the injected HTML will be executed when the paste is opened.

Remediation

Users are advised to upgrade to PrivateBin version 2.0.2 or later. After upgrading, check that a strong Content Security Policy header is being delivered.