[Security-news] SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
security-news at drupal.org
security-news at drupal.org
Wed Oct 23 16:58:57 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-050
Project: SVG Embed [1]
Date: 2024-October-23
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Affected versions: <2.1.2
Description:
This module enables you to embed the content of an SVG file into the body
html of a node and optionally allows to translate text contained within the
image.
The module doesn't sufficiently sanitize the SVG file before embedding it
into the html.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to upload SVG files, and the permission to use a text
format that includes the SVG embed filter.
Solution:
Install the latest version:
* If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed
7.x-1.3 [3]
* If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed
2.1.2 [4]
Reported By:
* Pierre Rudloff [5]
Fixed By:
* Ivo Van Geertruyen [6] of the Drupal Security Team
* Jürgen Haas [7]
Coordinated By:
* Ivo Van Geertruyen [8] of the Drupal Security Team
[1] https://www.drupal.org/project/svg_embed
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/svg_embed/releases/7.x-1.3
[4] https://www.drupal.org/project/svg_embed/releases/2.1.2
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/168924
[8] https://www.drupal.org/user/383424
More information about the Security-news
mailing list