Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.x]: svg-sanitize has Cross-site Scripting Bypass [CVE-2023-28426] #12943

Closed
cuebit opened this issue Mar 21, 2023 · 2 comments
Closed

[4.x]: svg-sanitize has Cross-site Scripting Bypass [CVE-2023-28426] #12943

cuebit opened this issue Mar 21, 2023 · 2 comments
Assignees
@brandonkelly
Labels
bug craft4

Comments

@cuebit
Copy link

cuebit commented Mar 21, 2023

What happened?

Description

The following security vulnerability is blocking our deployment pipelines.
Package enshrined/svg-sanitize
CVE CVE-2023-28426
Title svg-sanitizer has Cross-site Scripting Bypass
URL GHSA-xrqq-wqh4-5hg2
Affected versions <0.16.0
Reported at 2023-03-20T20:44:30+00:00

Steps to reproduce

composer require craftcms/cms && composer audit

Workarounds

There is currently no workaround available without upgrading.

Craft CMS version

4.4.4

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response
@kbergha
Copy link

kbergha commented Mar 21, 2023

PR from Dependabot: #12936

@brandonkelly brandonkelly self-assigned this Mar 21, 2023
@brandonkelly
Copy link
Member

Thanks for bringing this to our attention! Craft 3.8.5 and 4.4.5 are out with the svg-sanitize dependency bumped to ~0.16.0.

@romainpoirier romainpoirier mentioned this issue Mar 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandonkelly brandonkelly

Labels
bug craft4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brandonkelly @cuebit @kbergha