====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN166
_____________________________________________________________________

DATE                : 26/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Svg Image for Drupal versions prior
                                        to 8.x-1.10.

=====================================================================
https://www.drupal.org/sa-contrib-2020-008
_____________________________________________________________________

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

Project: Svg Image
Date: 2020-March-25
Security risk: Critical 15∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All
Vulnerability: Cross site scripting


Description:

SVG Image module allows to upload SVG files.

The module did not sufficiently protect against malicious code inside
SVG files leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have
permission to upload an SVG file.


Solution:

Install the latest version:

    If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image
8.x-1.10

Also see the Svg Image project page.


Reported By:

    Dmitry Kiselev


Fixed By:

    Yaroslav Lushnikov
    Dmitry Kiselev
    Jeroen Tubex


Coordinated By:

    Greg Knaddison of the Drupal Security Team




=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================