CVE-2022-23638 Cross-site Scripting in svg-sanitizer

2022-02-1421:10:10

CWE-79

GitHub_M

www.cve.org

cross-site scripting

svg-sanitizer

php

vulnerability

version 0.15.0

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

27.5%

JSON

svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the svg-sanitizer library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available.

CNA Affected

[
  {
    "product": "svg-sanitizer",
    "vendor": "darylldoyle",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.15.0"
      }
    ]
  }
]