The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-04T14:57:04.902Z

Updated: 2024-08-02T10:13:48.350Z

Reserved: 2022-12-29T03:00:40.879Z

Link: CVE-2023-22461

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-01-04T15:15:09.510

Modified: 2024-11-21T07:44:51.047

Link: CVE-2023-22461

cve-icon Redhat

No data.