CVE-2023-40013

Name of the Vulnerable Software and Affected Versions svg-loader versions prior to 1.6.9

Description The svg-loader library has insufficient input sanitization logic, allowing an attacker to craft a malicious SVG that can result in Cross-site Scripting (XSS). The library removes event attributes such as onmouseover and onclick but the list of events is not exhaustive, making it possible to bypass the sanitization. Any website that uses external-svg-loader and allows users to provide SVG sources or upload SVG files would be susceptible to a stored XSS attack.

Recommendations For versions prior to 1.6.9, upgrade to version 1.6.9 or later to address the issue. As a temporary workaround, consider disabling the use of external SVG files or restricting user uploads to minimize the risk of exploitation. Avoid using the onbegin attribute in the animate tag, as it can be used to execute JavaScript code without needing to add data-js="enabled".