View online: https://www.drupal.org/sa-contrib-2024-050
Project: SVG Embed [1] Date: 2024-October-23 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting
Affected versions: <2.1.2 Description: This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image.
The module doesn't sufficiently sanitize the SVG file before embedding it into the html.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter.
Solution: Install the latest version:
* If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed 7.x-1.3 [3] * If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed 2.1.2 [4]
Reported By: * Pierre Rudloff [5]
Fixed By: * Ivo Van Geertruyen [6] of the Drupal Security Team * Jürgen Haas [7]
Coordinated By: * Ivo Van Geertruyen [8] of the Drupal Security Team
[1] https://www.drupal.org/project/svg_embed [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_embed/releases/7.x-1.3 [4] https://www.drupal.org/project/svg_embed/releases/2.1.2 [5] https://www.drupal.org/user/3611858 [6] https://www.drupal.org/user/383424 [7] https://www.drupal.org/user/168924 [8] https://www.drupal.org/user/383424