SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

Project: SVG Formatter
Date: 2022-March-09
Security risk: Critical 15∕25 
Vulnerability: Cross Site Scripting

Description

SVG Formatter module provides support for using SVG images on your website.

Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images.

Solution

Update the module (8.x-1.17 or 2.0.1) which will enable updating to the enshrined/svg-sanitize to version 0.15 or newer library.

The updated library is most easily installed with Composer. To update the module and library it's possible to run the following Composer command:
composer update --with-dependencies drupal/svg_formatter