====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN107
_____________________________________________________________________

DATE                : 05/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SVG Formatter for Drupal prior to
                                 8.x-1.12.

=====================================================================
https://www.drupal.org/sa-contrib-2020-005
_____________________________________________________________________

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005


Project: SVG Formatter
Date: 2020-March-04
Security risk:
Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Cross site scripting


Description:

SVG Formatter module provides support for using SVG images on your
website.

This security release fixes third-party dependencies included in or
required by SVG Formatter. XSS bypass using entities and tab.

This vulnerability is mitigated by the fact that an attacker must be
able to upload SVG files.


Solution:

Install the latest version:

    If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG
Formatter 8.x-1.12

Also see the SVG Formatter project page.


Reported By:

    Jeroen Tubex

Fixed By:

    Goran Nikolovski

Coordinated By:

    Greg Knaddison of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================