Lucene search

K

GoogleOSV:GHSA-FQX8-V33P-4QCC

HistoryFeb 14, 2022 - 10:54 p.m.

Cross-site Scripting in enshrined/svg-sanitize

2022-02-1422:54:18

Google

osv.dev

11

svg

sanitizer

html elements

cdata

cross-site scripting

upgrade

EPSS

0.001

Percentile

27.5%

Impact

SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

Patches

This issue is fixed in 0.15.0 and higher.

Workarounds

There is currently no workaround available without upgrading.

For more information

If you have any questions or comments about this advisory:

Open an issue in Github
Email us at [email protected]

References

github.com/advisories/GHSA-fqx8-v33p-4qcc

github.com/darylldoyle/svg-sanitizer

github.com/darylldoyle/svg-sanitizer/commit/17e12ba9c2881caa6b167d0fbea555c11207fbb0

github.com/darylldoyle/svg-sanitizer/issues/71

github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-fqx8-v33p-4qcc

github.com/FriendsOfPHP/security-advisories/blob/master/enshrined/svg-sanitize/CVE-2022-23638.yaml

nvd.nist.gov/vuln/detail/CVE-2022-23638

EPSS

0.001

Percentile

27.5%

Related for OSV:GHSA-FQX8-V33P-4QCC

openvas1 cve1 typo31 prion1 cvelist1 nessus1 freebsd1 friendsofphp2 osv1 ubuntucve1 veracode1 github1 nvd1