CVE-2020-11070 – t3g/svg-sanitizer

Package

Manager: composer
Name: t3g/svg-sanitizer
Vulnerable Version: >=0 <1.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00206 pctl0.42973

Details

Cross-Site Scripting in SVG Sanitizer Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. An updated version 1.0.3 is available from the TYPo3 extension manager and at https://extensions.typo3.org/extension/download/svg_sanitizer/1.0.3/zip/ Users of the extension are advised to update the extension as soon as possible.

Metadata

Created: 2020-05-13T22:17:34Z
Modified: 2021-01-08T20:16:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-59cf-m7v5-wh5w/GHSA-59cf-m7v5-wh5w.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-59cf-m7v5-wh5w
Finding: F008
Auto approve: 1