Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-October-23
Vulnerability:
Cross Site Scripting
Affected versions:
<1.0.1
CVE IDs:
CVE-2024-13287
Description:
This module enables you to animate an SVG graphic by selecting certain rows in a view.
The module doesn't sufficiently sanitize the SVG file before embedding it into the html.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files.
Solution:
Install the latest version:
- If you use the views_svg_animation module for Drupal 10 or 11, upgrade to views_svg_animation 1.0.1
Reported By:
Fixed By:
Coordinated By:
- Juraj Nemec of the Drupal Security Team
