[Security-news] SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027
security-news at drupal.org
security-news at drupal.org
Wed May 9 20:28:27 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-027
Project: SVG Formatter [1]
Date: 2018-May-09
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
This module adds a new formatter for the file fields, which allows any file
extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario
uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission create or edit on certain content types that allows SVG
files to be uploaded.
Solution:
Install the latest version:
* If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG
Formatter 8.x-1.06 [3]
Also see the SVG Formatter [4] project page.
Reported By:
* Balazs Janos Tatar [5]
Fixed By:
* Balazs Janos Tatar [6]
* Rick Manelius [7] of the Drupal Security Team
* Goran Nikolovski [8]
Coordinated By:
* Balazs Janos Tatar [9]
[1] https://www.drupal.org/project/svg_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/svg_formatter/releases/8.x-1.06
[4] https://www.drupal.org/project/svg_formatter
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/680072
[8] https://www.drupal.org/user/3451979
[9] https://www.drupal.org/user/649590
More information about the Security-news
mailing list