SCA: security update for privatebin/privatebin (GHSA-cqcc-mm6x-vmvw)

medium Tenable Cloud Security Plugin ID 414025

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted
data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is
present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue
is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the
user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and
the instance isn't protected by an appropriate content security policy. Users are advised to either
upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.
(CVE-2022-24833)

See Also

https://github.com/advisories/GHSA-cqcc-mm6x-vmvw

Plugin Details

Severity: Medium

ID: 414025

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-24833

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/12/2022

Vulnerability Publication Date: 4/11/2022

Reference Information

CVE: CVE-2022-24833

cwe: CWE-79