CVE-2023-44383

Name of the Vulnerable Software and Affected Versions October versions prior to 3.5.2

Description A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. The issue arises because SVG files are supported by default, which has led to mistaken vulnerability reports.

Recommendations For versions prior to 3.5.2, consider removing the svg extension from the list of supported file types as a temporary workaround until the patch can be applied. Update to version 3.5.2, which includes an SVG sanitizer enabled by default for new installations. For existing sites, enable the SVG sanitizer in the config/media.php file by setting 'clean vectors' => true,.