Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-40013
Summary
SVG Loader is a javascript library that fetches SVGs using "XMLHttpRequests" and injects the "SVG" code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the "SVG" file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious "SVG" which can result in Cross-site Scripting (XSS). When trying to sanitize the "svg" the lib removes event attributes such as "onmouseover", "onclick" but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide "svg", "src", and upload "svg" files would be susceptible to stored XSS attack. This issue affects versions prior to 1.6.9. There are no known workarounds for this vulnerability.
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- LOW
- LOW
- NONE
CWE-79 - Cross Site Scripting
Cross-Site Scripting, commonly referred to as XSS, is the most dominant class of vulnerabilities. It allows an attacker to inject malicious code into a pregnable web application and victimize its users. The exploitation of such a weakness can cause severe issues such as account takeover, and sensitive data exfiltration. Because of the prevalence of XSS vulnerabilities and their high rate of exploitation, it has remained in the OWASP top 10 vulnerabilities for years.
References
Advisory Timeline
- Published