Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5Y2YtbTd2NS13aDV3
Cross-Site Scripting in SVG Sanitizer
Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting.
An updated version 1.0.3 is available from the TYPo3 extension manager and at https://extensions.typo3.org/extension/download/svg_sanitizer/1.0.3/zip/
Users of the extension are advised to update the extension as soon as possible.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5Y2YtbTd2NS13aDV3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-59cf-m7v5-wh5w, CVE-2020-11070
References:
- https://github.com/TYPO3GmbH/svg_sanitizer/security/advisories/GHSA-59cf-m7v5-wh5w
- https://nvd.nist.gov/vuln/detail/CVE-2020-11070
- https://github.com/advisories/GHSA-59cf-m7v5-wh5w
Blast Radius: 1.0
Affected Packages
packagist:t3g/svg-sanitizer
Dependent packages: 0Dependent repositories: 0
Downloads: 20,577 total
Affected Version Ranges: < 1.0.3
Fixed in: 1.0.3
All affected versions: 1.0.0, 1.0.1, 1.0.2
All unaffected versions: 1.0.3