TYPO3 Core

Recent update of package enshrined/svg-sanitize v0.15.0 has been released during the weekend - unfortunately this has not been coordinated with other projects depending on this library. Currently, the explanation in corresponding advisory lacks describing the vulnerable scenario and the implications.

That's why I created a ticket, trying to come up with potential scenarios and requesting more details from the maintainer.
→ see https://github.com/darylldoyle/svg-sanitizer/issues/71

Thus, the current understanding is, that recent changes in enshrined/svg-sanitize addressed a cross-site scripting vulnerability when SVG is used inline, embedded in HTML content only. We're still waiting for approval and a potential update of the corresponding advisory.

Besides that, there has been a report by others about a potential regression after the update to v0.15.0 of the library - I've already created a corresponding PR addressing this regression - which has not been picked up by the maintainer, yet.
→ see https://github.com/darylldoyle/svg-sanitizer/issues/70
→ see https://github.com/darylldoyle/svg-sanitizer/pull/72

To overcome the failure message of roave/security-advisories as a work-around, there are basically two options in those custom projects:

• upgrade the enshrined/svg-sanitize: composer req enshrined/svg-sanitize:^0.15 (taking the risk of being affected by the regression mentioned above)
• disable (ignore) roave/security-advisories to perform updating other packages
  • composer remove --dev roave/security-advisories
  • perform your upgrades to other packages
  • composer req --dev --no-update roave/security-advisories:dev-latest (without running updates)
  • composer update --lock (just updating composer.lock file)
  • NOTE: This is just a work-around!

In general enshrined/svg-sanitize is used in TYPO3 to avoid malicious file-uploads (e.g. logos or avatar images) being available via a public readable storage like https://example.org/fileadmin/evil-logo.svg.

References to earlier announcements concerning SVG-vulnerabilities:

• https://typo3.org/security/advisory/typo3-psa-2020-003
• https://typo3.org/security/advisory/typo3-psa-2019-010

Thanks for posting the workaround. Saved some headache!

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516