The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds
References
Link | Resource |
---|---|
https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d | Patch Third Party Advisory |
https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 04:06
Type | Values Removed | Values Added |
---|---|---|
Summary | The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds |
10 Jan 2023, 19:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:sanitize-svg_project:sanitize-svg:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
References | (MISC) https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d - Patch, Third Party Advisory | |
First Time |
Sanitize-svg Project
Sanitize-svg Project sanitize-svg |
04 Jan 2023, 15:37
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-04 15:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-22461
Mitre link : CVE-2023-22461
CVE.ORG link : CVE-2023-22461
JSON object : View
Products Affected
sanitize-svg_project
- sanitize-svg