R00Tdaemon

**Name of the Vulnerable Software and Affected Versions** svg-loader versions prior to 1.6.9 **Description** The svg-loader library has insufficient input sanitization logic, allowing an attacker to craft a malicious SVG that can result in Cross-site Scripting (XSS). The library removes event attributes such as `onmouseover` and `onclick` but the list of events is not exhaustive, making it possible to bypass the sanitization. Any website that uses external-svg-loader and allows users to provide SVG sources or upload SVG files would be susceptible to a stored XSS attack. **Recommendations** For versions prior to 1.6.9, upgrade to version 1.6.9 or later to address the issue. As a temporary workaround, consider disabling the use of external SVG files or restricting user uploads to minimize the risk of exploitation. Avoid using the `onbegin` attribute in the `animate` tag, as it can be used to execute JavaScript code without needing to add `data-js="enabled"`.