SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25 
Vulnerability: Cross Site Scripting

Description

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Solution

Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.

The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:
composer update --with-dependencies drupal/svg_formatter

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.