Description
According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS.
Recommendation
Update the external-svg-loader package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.9
- Patched version(s): 1.6.9
References
Related Issues
- Layui cross-site scripting (XSS) vulnerability - CVE-2023-50550
- vxe-table Cross-site Scripting vulnerability - CVE-2023-1001
- Joplin Cross-site Scripting vulnerability - CVE-2023-37299
- angular-ui-notification Cross-site Scripting vulnerability - CVE-2023-34840
You might also like:
- Tags:
- npm
- external-svg-loader
Anything's wrong? Let us know Last updated on November 08, 2023


