The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-01-04T14:57:04.902Z
Updated: 2024-08-02T10:13:48.350Z
Reserved: 2022-12-29T03:00:40.879Z
Link: CVE-2023-22461
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-01-04T15:15:09.510
Modified: 2024-11-21T07:44:51.047
Link: CVE-2023-22461
Redhat
No data.