CVE-2019-18857

2019-11-1115:15:12

Google

osv.dev

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring.

CPENameOperatorVersion
svg-sanitizereq0.7.0
svg-sanitizereq0.1.1
svg-sanitizereq0.8.0
svg-sanitizereq0.9.0
svg-sanitizereq0.5.3.1
svg-sanitizereq0.1.3
svg-sanitizereq0.8.2
svg-sanitizereq0.1.5
svg-sanitizereq0.10.0
svg-sanitizereq0.2.0

Name	Operator	Version
svg-sanitizer	eq	0.7.0
svg-sanitizer	eq	0.1.1
svg-sanitizer	eq	0.8.0
svg-sanitizer	eq	0.9.0
svg-sanitizer	eq	0.5.3.1
svg-sanitizer	eq	0.1.3
svg-sanitizer	eq	0.8.2
svg-sanitizer	eq	0.1.5
svg-sanitizer	eq	0.10.0
svg-sanitizer	eq	0.2.0