Published
Last updated
6.8
CVSS V3
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
The vulnerability CVE-2023-49090 wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist
, by providing multiple values separated by commas.
This bypassed value can be used to cause XSS.
Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for
.