CVE-2023-22461

Опубликовано: 04 янв. 2023

Источник: nvd

CVSS3: 7.6

CVSS3: 6.1

EPSS Низкий

Описание

The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal <script>-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-svg and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds

Ссылки

https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d
Patch
Third Party Advisory
https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g
Exploit
Third Party Advisory
https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d
Patch
Third Party Advisory
https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sanitize-svg_project:sanitize-svg:*:*:*:*:*:node.js:*:*

Версия до 0.4.0 (исключая)

EPSS

Процентиль: 57%

0.00355

Низкий

7.6 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-h857-2g56-468g

CVSS3: 7.6

github

около 3 лет назад

@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)

EPSS

Процентиль: 57%

0.00355

Низкий

7.6 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79