savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in
versions prior to 0.16.0 that allows an attacker to upload an SVG with
persistent cross-site scripting. HTML elements within CDATA needed to be
sanitized correctly, as we were converting them to a textnode and
therefore, the library wasn’t seeing them as DOM elements. This issue is
fixed in version 0.16.0. Any data within a CDATA node will now be sanitised
using HTMLPurifier. The maintainers have also removed many of the HTML and
MathML elements from the allowed element list, as without ForiegnObject,
they’re not legal within the SVG context. There are no known workarounds.
Author | Note |
---|---|
ccdm94 | spip includes an embedded copy of svg-sanitizer. |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28426
github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322
github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2
launchpad.net/bugs/cve/CVE-2023-28426
nvd.nist.gov/vuln/detail/CVE-2023-28426
security-tracker.debian.org/tracker/CVE-2023-28426