SVG Image module allows to upload SVG files.
The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file.
Install the latest version:
- If you use the SVG Image module for Drupal 8.x, upgrade to Svg Image 8.x-1.10
Also see the Svg Image project page.
- Greg Knaddison of the Drupal Security Team