SVG Formatter module provides support for using SVG images on your website.
Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.
Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.
The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:
composer update --with-dependencies drupal/svg_formatter
- Damien McKenna of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team