Release v2.0.3 - Fix arbitrary PHP file inclusion & self-XSS vulnerabilities

[elrido]

• FIXED: Prevent arbitrary PHP file inclusion when enabling template switching (CVE-2025-64714)
• FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)
• FIXED: Unable to create a new paste from the cloned one when a JSON file attached (Unable to create a new paste from the cloned one when a JSON file attached #1585)

This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames. Security advisories with additional details will be published soon and linked here.

---

This discussion was created from the release Release v2.0.3 - Fix arbitrary PHP file inclusion & self-XSS vulnerabilities.

[rugk]

Vulnerability updates

As the comments for the advisories are closed when they are published, here some updates. I've re-added the detailed impact analysis results here to also transparently explain in the open for the community what we have analyzed (the commends in the advisories by maintainers are private/they cannot see them). While I like the summary at the top, IMHO, it's also important to explain that we carefully considered attack vectors here and analyzed it as best as we could (because this e.g. also impacts the score/rating).

CVEs are being requested from GitHub and hopefully shall be assigned in the next days. I'd suggest we also add these to the release notes/website then again, as they are the no 1 thing people search for, so they should find our reports e.g. and it's clear what vulnerability belongs to which CVEs. (Companies use that to evaluate how fast they should update etc. e.g.)

[elrido]

It had not been removed from the advisory, I only shared it in the detailed internal discussion to clarify upon your request for what I had tested, but sure, it can be added to the report made a bit more readable.

When I consume such reports on software that I host or use in business, I prefer that the crucial information in the form of a summary of the possible risks and the conditions they apply is on top, so I can assess how urgent the updates are (as in, do I drop everything and do an all-nighter or can it wait till tomorrow). The deep technical details are fun learning material for me as a developer, but should be in the appendix.

Please do help keep the pelican site in sync, as those are the primary sources IMHO. The github reports we may one day loose, if they decide to change their platform, such as make it a paid feature or if we (are forced to) migrate elsewhere.

[rugk]

but should be in the appendix.

Yeah if we have some sort of that, we could also elaborate more on that? But IMHO, this was the fastest way to place it (and I did not know any other place), I mean one can always skip it and it's just some bullet points.
Maybe a separate blog post would be possible, but that yet again would need more details then. Just some bullet points are then too few to warrant an own blog post, yet again.

I'll guess one should do the website syncing when we have CVE numbers, then it's worth it! 🙂

[rugk]

Update done BTW: PrivateBin/privatebin.info-pelican#49