CVE-2024-47872 Information

Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Cross-Site Scripting (XSS) on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML JavaScript or SVG files containing malicious scripts. When other users download or view these files the scripts will execute in their browser allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads particularly those using components that process or display user-uploaded files. Users are advised to upgrade to gradio>=5 to address this issue. As a workaround users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally developers can implement server-side validation to sanitize uploaded files ensuring that HTML JavaScript and SVG files are properly handled or rejected before being stored or displayed to users.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/gradio-app/gradio/security/advisories/GHSA-gvv6-33j7-884g

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4