[IT-SecNots] [Security-news] SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-027

Project: SVG Formatter [1]
Date: 2018-May-09
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module adds a new formatter for the file fields, which allows any file
extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario
uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission create or edit on certain content types that allows SVG
files to be uploaded.

Solution: 
Install the latest version:

  * If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG
    Formatter 8.x-1.06 [3]

Also see the SVG Formatter [4] project page.

Reported By: 
  * Balazs Janos Tatar  [5]

Fixed By: 
  * Balazs Janos Tatar  [6]
  * Rick Manelius  [7] of the Drupal Security Team
  * Goran Nikolovski  [8]


Coordinated By: 
  * Balazs Janos Tatar  [9]


[1] https://www.drupal.org/project/svg_formatter
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/svg_formatter/releases/8.x-1.06
[4] https://www.drupal.org/project/svg_formatter
[5] https://www.drupal.org/user/649590
[6] https://www.drupal.org/user/649590
[7] https://www.drupal.org/user/680072
[8] https://www.drupal.org/user/3451979
[9] https://www.drupal.org/user/649590

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news