Bug #100234
closed
Incorporate tests of enshrined/svg-sanitize:v0.16.0
0%
Description
It looks like the security release enshrined/svg-sanitize:v0.16.0 did not fix a real vulnerability and was a false-positive:
- https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2
- https://nvd.nist.gov/vuln/detail/CVE-2023-28426
- https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322
Passing the two new added test files with the previous version v0.15.4 of that package did not reveal any valid attack vector - all entities are correctly encoded and would not have lead to an exploit in a browser context. This change in the TYPO3 context aims to demonstrate that there is no vulnerability.
Updated by Oliver Hader over 1 year ago
- Related to Task #100233: Upgrade enshrined/svg-sanitize to ^0.16 added
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78193
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78193
Updated by Oliver Hader over 1 year ago
- Status changed from Under Review to Rejected
CVE was rejected
Updated by Lars Tode 7 months ago
- Related to Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize' added