It was possible to bypass the preview check by sending a manipulated HTTP request with a MIME type like "image/png,text/html".
When parsing the Content-Type of a HTTP response, browsers see multiple MIME types, and the last one, text/html, takes precedence, allowing to execute potentially harmful JavaScript code.
This check was originally implemented to address CVE-2022-30110 then CVE-2024-12326.
Reported by:
- Yann CAM (ycam) (https://yann.cam/)
- Killian CHEVRIER (palmier) (https://killianchevrier.fr/)
git.p6c8.net / jirafeau / pcanterino.git / commitdiff