External Control of System or Configuration Setting

CVE-2023-50252

High

9.8/10

Summary

php-svg-lib is an SVG file parsing / rendering library. The package phenx/php-svg-lib versions 0.0.3, and 0.2 through 0.5.0, when handling the '<use>' tag that references an '<image>' tag, it merges the attributes from the '<use>' tag to the '<image>' tag. The problem pops up, especially when the 'href' attribute from the '<use>' tag has not been sanitized. This can lead to an unsafe file read that can cause PHAR Deserialization vulnerability in PHP prior to version 8.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-15 - External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user.

References

Advisory
Release Note

Advisory Timeline

Published Dec 12, 2023

External Control of System or Configuration Setting

CVE-2023-50252

Summary

CWE-15 - External Control of System or Configuration Setting

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS