Vulnerability Details : CVE-2023-40013
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2023-40013
- cpe:2.3:a:shubhamjain:svg_loader:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40013
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40013
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
1.6
|
5.5
|
GitHub, Inc. |
CWE ids for CVE-2023-40013
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-40013
-
https://github.com/shubhamjain/svg-loader/tree/main#2-enable-javascript
GitHub - shubhamjain/svg-loader: Plug 'n Play external SVG loaderProduct
-
https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader · Advisory · shubhamjain/svg-loader · GitHubVendor Advisory
-
https://github.com/shubhamjain/svg-loader/commit/d3562fc08497aec5f33eb82017fa1417b3319e2c
Merge pull request from GHSA-xc2r-jf2x-gjr8 · shubhamjain/svg-loader@d3562fc · GitHubPatch
-
https://github.com/shubhamjain/svg-loader/blob/main/svg-loader.js#L125-L128
svg-loader/svg-loader.js at main · shubhamjain/svg-loader · GitHubProduct
Jump to