GHSA-fqx8-v33p-4qcc

Source

https://github.com/advisories/GHSA-fqx8-v33p-4qcc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json

Aliases

• CVE-2022-23638

Published

2022-02-14T22:54:18Z

Modified

2024-02-16T08:20:28.669768Z

Details

Impact

SVG sanitizer library before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

Patches

This issue is fixed in 0.15.0 and higher.

Workarounds

There is currently no workaround available without upgrading.

For more information

If you have any questions or comments about this advisory: * Open an issue in Github * Email us at daryll@enshrined.co.uk

References

• https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-fqx8-v33p-4qcc
• https://nvd.nist.gov/vuln/detail/CVE-2022-23638
• https://github.com/darylldoyle/svg-sanitizer/issues/71
• https://github.com/darylldoyle/svg-sanitizer/commit/17e12ba9c2881caa6b167d0fbea555c11207fbb0
• https://github.com/FriendsOfPHP/security-advisories/blob/master/enshrined/svg-sanitize/CVE-2022-23638.yaml
• https://github.com/advisories/GHSA-fqx8-v33p-4qcc
• https://github.com/darylldoyle/svg-sanitizer