CVE-2023-36828

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 4.10.0

Description The issue concerns the SVG tag not sanitizing malicious SVG, allowing an attacker to perform cross-site scripting attacks using SVG, even when using the sanitize function. This can be exploited by uploading a manipulated SVG file, potentially triggering an XSS vulnerability. The estimated number of potentially affected devices is not specified.

Technical details about exploitation include:

Recommendations For versions prior to 4.10.0, update to version 4.10.0 to resolve the issue. As a temporary workaround, consider sanitizing the SVG when outputting it, utilizing a reliable package such as https://github.com/darylldoyle/svg-sanitizer to ensure comprehensive SVG sanitization capabilities. Restrict access to uploading SVG files to minimize the risk of exploitation until the issue is resolved.