View online: https://www.drupal.org/sa-contrib-2022-028
Project: SVG Formatter [1] Date: 2022-March-09 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross Site Scripting
Description: SVG Formatter module provides support for using SVG images on your website.
Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.
Solution: Update the module (8.x-1.17 [3] or 2.0.1 [4]) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.
The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:
composer update --with-dependencies drupal/svg_formatterReported By: * Jeroen Tubex [5]
Fixed By: * Goran Nikolovski [6]
Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Lee Rowlands [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/svg_formatter [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_formatter/releases/8.x-1.17 [4] https://www.drupal.org/project/svg_formatter/releases/2.0.1 [5] https://www.drupal.org/user/2228934 [6] https://www.drupal.org/user/3451979 [7] https://www.drupal.org/user/108450 [8] https://www.drupal.org/user/395439 [9] https://www.drupal.org/user/36762