In the SVG documents section of the Security administration interface, users with the ADMIN
role can configure a toggle to prevent privilege escalation attacks.
A privilege escalation attack can occur in the following circumstances:
-
A user with the
KHUB_ADMIN
orCONTENT_PUBLISHER
role uploads an SVG document. -
A user with the
ADMIN
,USERS_ADMIN
and/orPORTAL_ADMIN
role views that document in the Viewer page or previews it in the Search page. -
The user with the
KHUB_ADMIN
orCONTENT_PUBLISHER
role injects JavaScript into the SVG document to obtain rights reserved for users with theADMIN
,USERS_ADMIN
and/orPORTAL_ADMIN
role.
SVG documents include all unstructured documents, map attachments and resources with the mime type image/svg+xml
.
When the toggle is enabled, Fluid Topics does not display scripts in the SVG document directly in the portal. Users who download the SVG document can read the scripts locally on their machines.
Disabling the toggle makes the portal vulnerable to privilege escalation attacks.