Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2020-March-25
Vulnerability:
Cross site scripting
Affected versions:
<1.10.0
Description:
SVG Image module allows to upload SVG files.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.
Solution:
Install the latest version:
- If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10
Also see the Svg Image project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
