Description
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Recommendation
Update the external-svg-loader package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.9
- Patched version(s): 1.6.9
References
Related Issues
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
- vxe-table Cross-site Scripting vulnerability - CVE-2023-1001
- Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
- Tags:
- npm
- external-svg-loader
Anything's wrong? Let us know Last updated on November 08, 2023