GHSA-fqx8-v33p-4qcc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fqx8-v33p-4qcc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-fqx8-v33p-4qcc/GHSA-fqx8-v33p-4qcc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fqx8-v33p-4qcc
- Aliases
- Published
- 2022-02-14T22:54:18Z
- Modified
- 2024-02-16T08:20:28.669768Z
- Severity
-
- 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Cross-site Scripting in enshrined/svg-sanitize
- Details
-
Impact
SVG sanitizer library before version
0.15.0did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched astext/html) was susceptible to cross-site scripting. Plain SVG files (fetched asimage/svg+xml) were not affected.Patches
This issue is fixed in
0.15.0and higher.Workarounds
There is currently no workaround available without upgrading.
For more information
If you have any questions or comments about this advisory: * Open an issue in Github * Email us at daryll@enshrined.co.uk
- References
-
- https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-fqx8-v33p-4qcc
- https://nvd.nist.gov/vuln/detail/CVE-2022-23638
- https://github.com/darylldoyle/svg-sanitizer/issues/71
- https://github.com/darylldoyle/svg-sanitizer/commit/17e12ba9c2881caa6b167d0fbea555c11207fbb0
- https://github.com/FriendsOfPHP/security-advisories/blob/master/enshrined/svg-sanitize/CVE-2022-23638.yaml
- https://github.com/advisories/GHSA-fqx8-v33p-4qcc
- https://github.com/darylldoyle/svg-sanitizer
Affected packages
Packagist / enshrined/svg-sanitize
Package
- Name
- enshrined/svg-sanitize
- Purl
- pkg:composer/enshrined/svg-sanitize