Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5Y2YtbTd2NS13aDV3

Cross-Site Scripting in SVG Sanitizer

Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting.

An updated version 1.0.3 is available from the TYPo3 extension manager and at https://extensions.typo3.org/extension/download/svg_sanitizer/1.0.3/zip/
Users of the extension are advised to update the extension as soon as possible.

Permalink: https://github.com/advisories/GHSA-59cf-m7v5-wh5w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5Y2YtbTd2NS13aDV3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago


CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-59cf-m7v5-wh5w, CVE-2020-11070
References: Repository: https://github.com/TYPO3GmbH/svg_sanitizer
Blast Radius: 1.0

Affected Packages

packagist:t3g/svg-sanitizer
Dependent packages: 0
Dependent repositories: 0
Downloads: 20,771 total
Affected Version Ranges: < 1.0.3
Fixed in: 1.0.3
All affected versions: 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 1.0.3