CVE-2023-36828: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version 4.10.0 contains a patch for this issue.
References
- github.com/advisories/GHSA-6r5g-cq4q-327g
- github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php
- github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Tags/Svg.php
- github.com/statamic/cms/commit/c714893ad92de6e5ede17b501003441af505b30d
- github.com/statamic/cms/pull/8408
- github.com/statamic/cms/releases/tag/v4.10.0
- github.com/statamic/cms/security/advisories/GHSA-6r5g-cq4q-327g
- nvd.nist.gov/vuln/detail/CVE-2023-36828
Detect and mitigate CVE-2023-36828 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →