Lucene search

Veracode Vulnerability DatabaseVERACODE:42812

HistoryAug 16, 2023 - 2:55 a.m.

Cross-site Scripting (XSS)

2023-08-1602:55:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

svg loader

input sanitization

javascript

vulnerability

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

21.6%

JSON

external-svg-loader is vulnerable to Cross-site Scripting (XSS). The vulnerability exists due to the lack of input sanitization in the renderBody function of svg-loader.js, which allows an attacker to inject and execute malicious JavaScript through a maliciously crafted SVG.

CPENameOperatorVersion
external-svg-loaderle1.6.8
external-svg-loaderle1.6.8

CPE	Name	Operator	Version
	external-svg-loader	le	1.6.8
	external-svg-loader	le	1.6.8

References

github.com/advisories/GHSA-xc2r-jf2x-gjr8

github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128

github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c

github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8

github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

0.001 Low

EPSS

Percentile

21.6%

JSON

Related for VERACODE:42812