Veracode Vulnerability DatabaseVERACODE:42812Cross-site Scripting (XSS)
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS
Percentile
29.2%
external-svg-loader is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to the lack of input sanitization in the renderBody function of svg-loader.js, which allows an attacker to inject and execute malicious JavaScript through a maliciously crafted SVG.
References
github.com/advisories/GHSA-xc2r-jf2x-gjr8
github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c
github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8
github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS
Percentile
29.2%