Lucene search

GitHub Advisory DatabaseGHSA-MPP5-2X55-49XW

HistoryJan 06, 2022 - 7:45 p.m.

XSS in svg2png (NPM package)

2022-01-0619:45:13

CWE-79

GitHub Advisory Database

github.com

xss

svg2png

npm

vulnerability

ssrf

javascript

svg

document

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.3%

JSON

svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an SVG document.

Affected configurations

Vulners

Node

svg2png_projectsvg2pngRange≤4.1.1

VendorProductVersionCPE
svg2png_projectsvg2png*cpe:2.3:a:svg2png_project:svg2png:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
svg2png_project	svg2png	*	cpe:2.3:a:svg2png_project:svg2png::::::::

References

github.com/advisories/GHSA-mpp5-2x55-49xw

github.com/domenic/svg2png/issues/117

nvd.nist.gov/vuln/detail/CVE-2020-11887

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.3%

JSON

Related for GHSA-MPP5-2X55-49XW