CVE-2019-18857

Опубликовано: 11 нояб. 2019

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring.

Ссылки

https://github.com/darylldoyle/svg-sanitizer/commit/51ca4b713f3706d6b27769c6296bbc0c28a5bbd0
Patch
Third Party Advisory
https://github.com/darylldoyle/svg-sanitizer/compare/0.11.0...0.12.0
Third Party Advisory
https://github.com/darylldoyle/svg-sanitizer/commit/51ca4b713f3706d6b27769c6296bbc0c28a5bbd0
Patch
Third Party Advisory
https://github.com/darylldoyle/svg-sanitizer/compare/0.11.0...0.12.0
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:svg-sanitizer_project:svg-sanitizer:*:*:*:*:*:*:*:*

Версия до 0.12.0 (исключая)

EPSS

Процентиль: 56%

0.00344

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-gf8j-v8x5-h9qp