View online: https://www.drupal.org/sa-contrib-2018-027

Project: SVG Formatter [1] Date: 2018-May-09 Security risk: *Critical* 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] Vulnerability: Cross Site Scripting

Description:  This module adds a new formatter for the file fields, which allows any file extension to be uploaded. The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create or edit on certain content types that allows SVG files to be uploaded.

Solution:  Install the latest version:

* If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.06 [3]

Also see the SVG Formatter [4] project page.

Reported By:  * Balazs Janos Tatar [5]

Fixed By:  * Balazs Janos Tatar [6] * Rick Manelius [7] of the Drupal Security Team * Goran Nikolovski [8]

Coordinated By:  * Balazs Janos Tatar [9]

[1] https://www.drupal.org/project/svg_formatter [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/svg_formatter/releases/8.x-1.06 [4] https://www.drupal.org/project/svg_formatter [5] https://www.drupal.org/user/649590 [6] https://www.drupal.org/user/649590 [7] https://www.drupal.org/user/680072 [8] https://www.drupal.org/user/3451979 [9] https://www.drupal.org/user/649590