SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Wed, 02 Oct 2024 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shubhamjain:svg_loader:*:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-14T20:10:24.585Z

Updated: 2024-10-02T20:35:31.785Z

Reserved: 2023-08-08T13:46:25.241Z

Link: CVE-2023-40013

cve-icon Vulnrichment

Updated: 2024-08-02T18:24:54.579Z

cve-icon NVD

Status : Modified

Published: 2023-08-14T21:15:13.523

Modified: 2024-11-21T08:18:30.950

Link: CVE-2023-40013

cve-icon Redhat

No data.