FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

typo3 -- XSS vulnerability in svg-sanitize

Affected packages
typo3-10-php74 < 10.4.25
typo3-11-php74 < 11.5.7
typo3-11-php80 < 11.5.7
typo3-11-php81 < 11.5.7

Details

VuXML ID 0eab001a-9708-11ec-96c9-589cfc0f81b0
Discovery 2022-02-22
Entry 2022-02-27

The TYPO3 project reports:

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

[source]

References

CVE Name CVE-2022-23638
URL https://github.com/typo3/typo3/commit/9940defb21
URL https://typo3.org/article/typo3-psa-2022-001

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.