CVE-2022-1091

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-1091

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-1091.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-1091

Aliases

GHSA-5h7w-hmxc-99g5

Published

2022-04-18T18:15:09Z

Modified

2024-05-14T11:07:48.814999Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).

References

Affected packages

Git / github.com/10up/safe-svg

Affected ranges

Type: GIT
Repo: https://github.com/10up/safe-svg
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2e3c5bd22d90169006413cf74ec3f4cc5baeaa7c

Affected versions

1.*

1.6.1

1.7.0

1.7.1

1.8.1

1.9.0

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9