CVE-2023-28426 – enshrined/svg-sanitize

Package

Manager: composer
Name: enshrined/svg-sanitize
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

svg-sanitizer has Cross-site Scripting Bypass ### Update In [#88](https://github.com/darylldoyle/svg-sanitizer/issues/88) we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected. ___ A bypass has been found that allows an attacker to upload an SVG with persistent XSS. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. Any data within a CDATA node will now be sanitised using [HTMLPurifier](https://github.com/ezyang/htmlpurifier). We've also removed many of the HTML and MathML elements from the allowed element list, as without `ForiegnObject`, they're not legal within the SVG context. Additional tests have been added to the test suite to account for these new bypasses. ### Impact This impacts all users of the `svg-sanitizer` library. ### Patches This issue is fixed in 0.16.0 and higher. ### Workarounds There is currently no workaround available without upgrading. ### For more information If you have any questions or comments about this advisory: Open an issue in [Github](https://github.com/darylldoyle/svg-sanitizer/issues) Email us at [daryll@enshrined.co.uk](mailto:daryll@enshrined.co.uk)

Metadata

Created: 2023-03-20T20:44:30Z
Modified: 2023-03-23T12:50:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-xrqq-wqh4-5hg2/GHSA-xrqq-wqh4-5hg2.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xrqq-wqh4-5hg2
Finding: N/A
Auto approve: 0