In the SVG documents section of the Security administration interface, users with the ADMIN role can configure a toggle to prevent privilege escalation attacks.
A privilege escalation attack can occur in the following circumstances:
-
A user with the
KHUB_ADMINorCONTENT_PUBLISHERrole uploads an SVG document. -
A user with the
ADMIN,USERS_ADMINorPORTAL_ADMINrole views that document in the Viewer page or previews it in the Search page. -
The user with the
KHUB_ADMINorCONTENT_PUBLISHERrole injects JavaScript into the SVG document to get rights reserved for users with theADMIN,USERS_ADMINorPORTAL_ADMINrole.
SVG documents include all unstructured documents, attachments and resources with the MIME type image/svg+xml.
When the toggle is active, Fluid Topics does not display scripts in the SVG document directly in the portal. Users who download the SVG document can read the scripts locally on their machines.
Disabling the toggle makes the portal vulnerable to privilege escalation attacks.