CVE-2023-40013

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Aug 14, 2023

Updated: Aug 23, 2023

CWE ID 79

Summary

CVE-2023-40013 is a vulnerability affecting the SVG Loader library, which is used to inject SVG code into a webpage. The library sanitizes the SVG code by removing JavaScript before injection, but its input sanitization logic is insufficient, enabling attackers to bypass it. This allows for Cross-site Scripting (XSS) attacks, which can result in the execution of malicious scripts. The vulnerability is particularly concerning for websites that allow users to provide or upload SVG files, making them susceptible to stored XSS attacks. The issue has been addressed in commit `d3562fc08`, which is included in releases from 1.6.9. Users are advised to upgrade as soon as possible, as there are currently no known workarounds for this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database