CVE-2024-12326

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-12326
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12326.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-12326
Published
2024-12-06T21:15:05Z
Modified
2025-01-15T05:04:45.615004Z
Summary
[none]
Details

Jirafeau normally prevents browser preview for SVG files due to the possibility that manipulated SVG files could be exploited for cross site scripting. This was done by storing the MIME type of a file and preventing the browser preview for MIME type image/svg+xml. This issue was first reported in CVE-2022-30110. However, it was still possible to do a browser preview of a SVG file by sending a manipulated MIME type during the upload, where the case of any letter in image/svg+xml had been changed (like image/svg+XML). The check for image/svg+xml has been changed to be case insensitive.

References

Affected packages

Git / gitlab.com/jirafeau/Jirafeau

Affected ranges

Type
GIT
Repo
https://gitlab.com/jirafeau/Jirafeau
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.0
1.1
1.2.0

2.*

2.0.0

3.*

3.0.0
3.1.0
3.2.0
3.2.1
3.3.0
3.4.0
3.4.1

4.*

4.0.0
4.1.0
4.1.1
4.2.0
4.3.0
4.4.0
4.5.0
4.6.0