CVE-2023-36828 - OpenCVE

Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Statamic	Statamic

Configuration 1 [-]

cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15
https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40
https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
https://github.com/statamic/cms/pull/8408
https://github.com/statamic/cms/releases/tag/v4.10.0
https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-05T21:30:06.196Z

Updated: 2024-08-02T17:01:09.623Z

Reserved: 2023-06-27T15:43:18.388Z

Link: CVE-2023-36828

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-05T22:15:10.113

Modified: 2023-07-12T15:48:25.017

Link: CVE-2023-36828

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-36828", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-27T15:43:18.388Z", "datePublished": "2023-07-05T21:30:06.196Z", "dateUpdated": "2024-08-02T17:01:09.623Z"}, "containers": {"cna": {"title": "Statamic's Antlers sanitizer cannot effectively sanitize malicious SVG", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g"}, {"name": "https://github.com/statamic/cms/pull/8408", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/pull/8408"}, {"name": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d"}, {"name": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15"}, {"name": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40"}, {"name": "https://github.com/statamic/cms/releases/tag/v4.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/statamic/cms/releases/tag/v4.10.0"}], "affected": [{"vendor": "statamic", "product": "cms", "versions": [{"version": "< 4.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-05T21:30:06.196Z"}, "descriptions": [{"lang": "en", "value": "Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue."}], "source": {"advisory": "GHSA-6r5g-cq4q-327g", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:01:09.623Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g"}, {"name": "https://github.com/statamic/cms/pull/8408", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/statamic/cms/pull/8408"}, {"name": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d"}, {"name": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15"}, {"name": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40"}, {"name": "https://github.com/statamic/cms/releases/tag/v4.10.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/statamic/cms/releases/tag/v4.10.0"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*", "matchCriteriaId": "67630996-B2F8-467B-B65C-AAA8E1828664", "versionEndExcluding": "4.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. Version 4.10.0 contains a patch for this issue."}], "id": "CVE-2023-36828", "lastModified": "2023-07-12T15:48:25.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-07-05T22:15:10.113", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php#L36-L40"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/statamic/cms/pull/8408"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/statamic/cms/releases/tag/v4.10.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}