SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in Cross-site Scripting (XSS). When trying to sanitize the svg the lib removes event attributes such as `onmouseover`, `onclick` but the list of events is not exhaustive. Any website which uses external-svg-loader and allows its users to provide svg src, upload svg files would be susceptible to stored XSS attack. This issue has been addressed in commit `d3562fc08` which is included in releases from 1.6.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Published 2023-08-14 21:15:14
Updated 2023-08-23 00:03:47
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-40013

Exploit prediction scoring system (EPSS) score for CVE-2023-40013

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40013

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.4
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2.3
2.7
NIST
7.1
HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
1.6
5.5
GitHub, Inc.

CWE ids for CVE-2023-40013

References for CVE-2023-40013

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!