
<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>De: <span dir="auto"><<a href="mailto:security-news@drupal.org">security-news@drupal.org</a>></span><br>Date: qua., 25 de mar. de 2020 às 16:52<br>Subject: [Security-news] Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008<br>To:  <<a href="mailto:security-news@drupal.org">security-news@drupal.org</a>><br></div><br><br>View online: <a href="https://www.drupal.org/sa-contrib-2020-008" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2020-008</a><br>

<br>

Project: Svg Image [1]<br>

Date: 2020-March-25<br>

Security risk: *Critical* 15∕25<br>

AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]<br>

Vulnerability: Cross site scripting<br>

<br>

Description: <br>

SVG Image module allows to upload SVG files.<br>

<br>

The module did not sufficiently protect against malicious code inside SVG<br>

files leading to a Cross Site Scripting vulnerability.<br>

<br>

This vulnerability is mitigated by the fact that an attacker must have<br>

permission to upload an SVG file.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

   * If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image<br>

     8.x-1.10 [3]<br>

<br>

Also see the Svg Image [4] project page.<br>

<br>

Reported By: <br>

   * Dmitry Kiselev  [5]<br>

<br>

Fixed By: <br>

   * Yaroslav Lushnikov  [6]<br>

   * Dmitry Kiselev  [7]<br>

   * Jeroen Tubex  [8]<br>

<br>

Coordinated By: <br>

   * Greg Knaddison [9] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/svg_image" rel="noreferrer" target="_blank">https://www.drupal.org/project/svg_image</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/svg_image/releases/8.x-1.10" rel="noreferrer" target="_blank">https://www.drupal.org/project/svg_image/releases/8.x-1.10</a><br>

[4] <a href="https://www.drupal.org/project/svg_image" rel="noreferrer" target="_blank">https://www.drupal.org/project/svg_image</a><br>

[5] <a href="https://www.drupal.org/user/1945174" rel="noreferrer" target="_blank">https://www.drupal.org/user/1945174</a><br>

[6] <a href="https://www.drupal.org/user/2870933" rel="noreferrer" target="_blank">https://www.drupal.org/user/2870933</a><br>

[7] <a href="https://www.drupal.org/user/1945174" rel="noreferrer" target="_blank">https://www.drupal.org/user/1945174</a><br>

[8] <a href="https://www.drupal.org/user/2228934" rel="noreferrer" target="_blank">https://www.drupal.org/user/2228934</a><br>

[9] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>

<br>

_______________________________________________<br>

Security-news mailing list<br>

<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>

Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>

</div></div>