Robyfirnandoyusuf

**Name of the Vulnerable Software and Affected Versions** Statamic versions prior to 4.10.0 **Description** The issue concerns the SVG tag not sanitizing malicious SVG, allowing an attacker to perform cross-site scripting attacks using SVG, even when using the `sanitize` function. This can be exploited by uploading a manipulated SVG file, potentially triggering an XSS vulnerability. The estimated number of potentially affected devices is not specified. Technical details about exploitation include: - **API Endpoints:** Not specified - **Vulnerable Parameters or Variables:** `sanitize` function, `File::get()` - **Function Names:** `sanitize` function **Recommendations** For versions prior to 4.10.0, update to version 4.10.0 to resolve the issue. As a temporary workaround, consider sanitizing the SVG when outputting it, utilizing a reliable package such as https://github.com/darylldoyle/svg-sanitizer to ensure comprehensive SVG sanitization capabilities. Restrict access to uploading SVG files to minimize the risk of exploitation until the issue is resolved.