CVE-2023-40013 HIGH

CVE-2023-40013: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader

Vendor Shubhamjain

Product svg-loader

Weakness CWE-79 · XSS

Published August 14, 2023

Last update October 2, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

August 14, 2023 CVE published

October 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-40013 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-40013: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader

01Description

02Disclosure timeline

03References

04Related CVE