Vulnerability DatabaseCVE-2023-22461
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-22461
January 04, 2023
The "sanitize-svg" package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal "<script>"-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on "sanitize-svg" and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds
Affected Packages
@mattkrick/sanitize-svg (NPM):
Affected version(s) >=0.1.0 <0.4.0
Fix Suggestion:
Update to version 0.4.0
Related Resources (5)
https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22461.json
https://nvd.nist.gov/vuln/detail/CVE-2023-22461
https://github.com/mattkrick/sanitize-svg/commit/b107e453ede7b58adcccae74a3e474c012eec85d
https://github.com/mattkrick/sanitize-svg/security/advisories/GHSA-h857-2g56-468g
https://github.com/mattkrick/sanitize-svg
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-80
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
0.36