CVE-2024-30248 Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page

2024-04-0214:55:17

CWE-79

GitHub_M

www.cve.org

cve-2024-30248

piccolo admin

svg

vulnerability

upload

patched

version 1.3.2

data compromise

admin page

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

Percentile

9.0%

JSON

Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo’s admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin page. This vulnerability was patched in version 1.3.2.

CNA Affected

[
  {
    "vendor": "piccolo-orm",
    "product": "piccolo_admin",
    "versions": [
      {
        "version": ">= 1.2.0, < 1.3.2",
        "status": "affected"
      }
    ]
  }
]