CVE-2023-28426

Name of the Vulnerable Software and Affected Versions savg-sanitizer versions prior to 0.16.0

Description A bypass has been found in the savg-sanitizer library that allows an attacker to upload an SVG with persistent cross-site scripting. The issue arises from incorrect sanitization of HTML elements within CDATA nodes, which were being converted to text nodes and not recognized as DOM elements. To address this, any data within a CDATA node will now be sanitized using HTMLPurifier. Additionally, many HTML and MathML elements have been removed from the allowed element list, as they are not valid within the SVG context without ForeignObject.

Recommendations For versions prior to 0.16.0, update to version 0.16.0 or higher to fix the issue. As a temporary workaround, consider disabling the use of CDATA nodes in SVG uploads until the update can be applied. Restrict access to the svg-sanitizer library to minimize the risk of exploitation. Avoid using the library for sanitizing SVG files that may contain malicious HTML elements within CDATA nodes until the issue is resolved.