Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2022-March-09
Vulnerability:
Cross Site Scripting
Affected versions:
<1.17.0 || =2.0.0
Description:
SVG Formatter module provides support for using SVG images on your website.
Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.
Solution:
Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.
The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:
composer update --with-dependencies drupal/svg_formatterReported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
