CVE-2025-24372— CKAN 跨站脚本漏洞

XSS vector in user uploaded images in group/org and user profiles in ckan

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2. Users are advised to upgrade. On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the `ckan.upload.user.mimetypes` / `ckan.upload.user.types` and `ckan.upload.group.mimetypes` / `ckan.upload.group.types` config options. To entirely disable file uploads users can use: `ckan.upload.user.types = none`

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

CKAN 跨站脚本漏洞

CKAN是CKAN开源的一个开源 DMS（数据管理系统）。用于为数据中心和数据门户提供动力。 CKAN存在跨站脚本漏洞，该漏洞源于缺少对上传文件的适当验证，允许已注册用户上传包含恶意代码的特制文件，可能导致权限提升或其他恶意行为。

N/A

N/A