CVE-2023-40013

2023-08-1421:15:13

CWE-79

[email protected]

web.nvd.nist.gov

svg loader

javascript library

xss

input sanitization

security issue

cve-2023-40013

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

21.8%

JSON

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag’s place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as onmouseover, onclick but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit d3562fc08 which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

NVD

Node

shubhamjainsvg_loaderRange<1.6.9

VendorProductVersionCPE
shubhamjainsvg_loader*cpe:2.3:a:shubhamjain:svg_loader:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
shubhamjain	svg_loader	*	cpe:2.3:a:shubhamjain:svg_loader::::::::

CNA Affected

[
  {
    "vendor": "shubhamjain",
    "product": "svg-loader",
    "versions": [
      {
        "version": "< 1.6.9",
        "status": "affected"
      }
    ]
  }
]