SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
Project: SVG EmbedDate: 2024-October-23Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scriptingAffected versions: <2.1.2Description: This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image.
The module doesn't sufficiently sanitize the SVG file before embedding it into the html.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files, and the permission to use a text format that includes the SVG embed filter.Solution: Install the latest version:
- If you use the svg_embed module for Drupal 7.x, upgrade to svg_embed 7.x-1.3
- If you use the svg_embed module for Drupal 10 or 11, upgrade to svg_embed 2.1.2
Reported By:
Fixed By:
- Ivo Van Geertruyen of the Drupal Security Team
- Jürgen Haas
Coordinated By:
- Ivo Van Geertruyen of the Drupal Security Team