SCA: security update for privatebin/privatebin (GHSA-r9x7-7ggj-fx9f)

medium Tenable Self-Hosted Container Security Plugin ID 436068

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version
1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into
the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute
arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim
to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before
they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only
macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows.
The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local
file system or somehow convince the user to create (or download) a malicious file (name). An attacker
needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be
tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the
PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI
before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming
counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML
injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole
exploit needs to be included in the file name of the attached file and only affects the local session of
the user (aka it is neither persistent nor remotely executable) and that user needs to interact and
actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3
patches the issue. (CVE-2025-64711)

See Also

https://github.com/advisories/GHSA-r9x7-7ggj-fx9f

Plugin Details

Severity: Medium

ID: 436068

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 11/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.37

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2025-64711

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/14/2025

Vulnerability Publication Date: 11/13/2025

Reference Information

CVE: CVE-2025-64711

cwe: CWE-79