Summary
Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page.
This access allows the following actions for example:
- The ability for an attacker to gain access to all data stored within the admin page
- The ability for an attacker to make any action within the admin page such as creating, modifying or deleting table records
As the SVG is executed from the context of an authenticated admin session, any actions they may be able to make can be made by the attacker.
N.b. The relevant session cookies are inaccessible from JavaScript due to httponly being set so all exploits must be present within the SVG file
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Currently, this requires the ability for a user to have access to an administrators account in order to upload the malicious file for simplicity sake. I can however imagine situations where general end users have the ability to upload files which can later be managed via the admin page.
See the following repository: Piccolo XSS
- Clone the repo
- Run all migrations & create an admin user
- Run
app.pyas a FastAPI application - Login to the admin page
- Create a new task and upload the following file to see basic execution:
payloads/basic_xss.svg - Click the SVG to view it inline
- Click "Open image in new tab"
- Observe the XSS triggering
Fig 1: An example XSS payload executing
Extended PoC
This repo also includes an extended PoC which sends the Task table to an attacker controlled server.
- Run
exhil_server.pyas a FastAPI application - Upload the following payload:
payloads/exhil.svg - Open the SVG in a new tab and observe the data being sent to the attacker controlled server
Fig 2: An example screenshot from the attacker controlled server showing incoming data
Further, the repo includes a list of routes the admin panel exposes which could be used to automate table discovery and compromise in a more sophisticated PoC.
Further thoughts
While this issue has been raised against the piccolo_admin repository, it technically exists for all file uploads within a piccolo website if an end developer chooses to include the ability to view SVG files inline within their application. Further thought should likely be given to either or both of the following:
- Ensuring the documentation for media handling includes some form of warning/recommendation relating to this. Ideally I think it should just provide an example of a code fix and link to security headers to test their own application
- Modifying the Piccolo template generation to include the relevant security headers by default. These include things such as xss protection and a content security policy. This site is a great resource for testing the security headers set on a website
Given the need to allow end developers the freedom to allow for SVG upload, removing the ability to upload them entirely is likely out of the picture.
This could also be resolved by making attempts to view attachments in a new tab set the relevant content-disposition header and force the browser to download the file instead of rendering it inline of the website.
What are your thoughts on the approach to take to mitigate this?
Impact
What kind of vulnerability is it? Who is impacted?
All applications with the following conditions present are affected:
- An enabled admin panel
- A model which features media upload that allows for SVG files
Further, if the site is behind a proxy of sorts it must not set the relevant security headers.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2024-30248 has a CVSS score of 7.7 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-30248? CVE-2024-30248 is a high-severity cross-site scripting (XSS) vulnerability in piccolo-admin (pip), affecting versions >= 1.2.0, < 1.3.2. It is fixed in 1.3.2. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2024-30248? CVE-2024-30248 has a CVSS score of 7.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of piccolo-admin are affected by CVE-2024-30248? piccolo-admin (pip) versions >= 1.2.0, < 1.3.2 is affected.
- Is there a fix for CVE-2024-30248? Yes. CVE-2024-30248 is fixed in 1.3.2. Upgrade to this version or later.
- Is CVE-2024-30248 exploitable, and should I be worried? Whether CVE-2024-30248 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-30248 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-30248? Upgrade
piccolo-adminto 1.3.2 or later.