Description
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Recommendation
Update the external-svg-loader package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.9
- Patched version(s): 1.6.9
References
Related Issues
- Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
- Layui cross-site scripting (XSS) vulnerability - CVE-2023-50550
- NASA Open MCT Cross Site Scripting vulnerability - CVE-2023-45885
- angular-ui-notification Cross-site Scripting vulnerability - CVE-2023-34840
- Tags:
- npm
- external-svg-loader
Anything's wrong? Let us know Last updated on November 08, 2023