CVE-2022-1091

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/darylldoyle/safe-svg

Identifiers

GHSA-5h7w-hmxc-99g5, CVE-2022-1091

Package Slug

packagist/darylldoyle/safe-svg

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).

Affected Versions

All versions before 1.9.10

Solution

Upgrade to version 1.9.10 or above.

Last Modified

2022-05-01

source