darylldoyle/svg-sanitizer on GitHub
A PHP SVG/XML Sanitizer
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2023-28426 | N/A | N/A | |
| Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion. | |||
| CVE-2022-23638 | 6.1 MEDIUM | 4.3 MEDIUM | |
| svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the `svg-sanitizer` library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available. | |||
| CVE-2019-18857 | 7.5 HIGH | 5 MEDIUM | |
| darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript	:alert substring. | |||