PrivateBin v1.2.2 Release NotesRelease Date: 2020-01-11 // over 2 years ago
This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.
🚀 On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.
⚡️ Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
🚀 Benefits of switching to the new release
⬆️ We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.
⚡️ Update procedure
🐳 We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
🔄 Changes since version 1.2.1
- ⬆️ CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
- 🛠 FIXED: HTML injection via unescaped attachment filename (#554)
🚀 More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements.