[IT-SecNots] [Security-news] SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-050

Project: SVG Embed [1]
Date: 2024-October-23
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting

Affected versions: <2.1.2
Description: 
This module enables you to embed the content of an SVG file into the body
html of a node and optionally allows to translate text contained within the
image.

The module doesn't sufficiently sanitize the SVG file before embedding it
into the html.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to upload SVG files, and the permission to use a text
format that includes the SVG embed filter.

Solution: 
Install the latest version:

  * If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed
    7.x-1.3 [3]
  * If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed
    2.1.2 [4]

Reported By: 
  * Pierre Rudloff [5]

Fixed By: 
  * Ivo  Van Geertruyen [6] of the Drupal Security Team
  * Jürgen Haas [7]

Coordinated By: 
  * Ivo Van Geertruyen [8] of the Drupal Security Team


[1] https://www.drupal.org/project/svg_embed
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/svg_embed/releases/7.x-1.3
[4] https://www.drupal.org/project/svg_embed/releases/2.1.2
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/168924
[8] https://www.drupal.org/user/383424

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news