Vulnerability-Lookup

CVE-2023-28426 (GCVE-0-2023-28426)

Vulnerability from cvelistv5 – Published: – Updated: 2023-03-23 00:00

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2023-03-23T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28426",
    "dateRejected": "2023-03-23T00:00:00.000Z",
    "dateReserved": "2023-03-15T00:00:00.000Z",
    "dateUpdated": "2023-03-23T00:00:00.000Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.0",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.\"}]",
      "id": "CVE-2023-28426",
      "lastModified": "2023-11-07T04:10:35.027",
      "published": "2023-03-20T14:15:11.767",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Rejected"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28426\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-20T14:15:11.767\",\"lastModified\":\"2023-11-07T04:10:35.027\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.\"}],\"metrics\":{},\"references\":[]}}"
  }
}

FKIE_CVE-2023-28426

Vulnerability from fkie_nvd - Published: 2023-03-20 14:15 - Updated: 2023-11-07 04:10

Severity ?

Summary

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion."
    }
  ],
  "id": "CVE-2023-28426",
  "lastModified": "2023-11-07T04:10:35.027",
  "metrics": {},
  "published": "2023-03-20T14:15:11.767",
  "references": [],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Rejected"
}

GSD-2023-28426

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.

Aliases

CVE-2023-28426

Aliases

CVE-2023-28426

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28426",
    "id": "GSD-2023-28426"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28426"
      ],
      "details": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.",
      "id": "GSD-2023-28426",
      "modified": "2023-12-13T01:20:47.057009Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-28426",
        "STATE": "REJECT"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion."
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.16.0",
          "affected_versions": "All versions before 0.16.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-03-20",
          "description": "savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn\u0027t seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they\u0027re not legal within the SVG context. There are no known workarounds.",
          "fixed_versions": [
            "0.16.0"
          ],
          "identifier": "CVE-2023-28426",
          "identifiers": [
            "GHSA-xrqq-wqh4-5hg2",
            "CVE-2023-28426"
          ],
          "not_impacted": "All versions starting from 0.16.0",
          "package_slug": "packagist/enshrined/svg-sanitize",
          "pubdate": "2023-03-20",
          "solution": "Upgrade to version 0.16.0 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-28426",
            "https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322",
            "https://github.com/advisories/GHSA-xrqq-wqh4-5hg2"
          ],
          "uuid": "b84168b5-cce1-489a-85d5-3909a734bb4d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": []
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28426"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "savg-sanitizer is a PHP SVG/XML Sanitizer. A bypass has been found in versions prior to 0.16.0 that allows an attacker to upload an SVG with persistent cross-site scripting. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn\u0027t seeing them as DOM elements. This issue is fixed in version 0.16.0. Any data within a CDATA node will now be sanitised using HTMLPurifier. The maintainers have also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they\u0027re not legal within the SVG context. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322",
              "refsource": "MISC",
              "tags": [],
              "url": "https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322"
            },
            {
              "name": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2",
              "refsource": "MISC",
              "tags": [],
              "url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2"
            }
          ]
        }
      },
      "impact": {},
      "lastModifiedDate": "2023-03-21T11:51Z",
      "publishedDate": "2023-03-20T14:15Z"
    }
  }
}

GHSA-XRQQ-WQH4-5HG2

Vulnerability from github – Published: 2023-03-20 20:44 – Updated: 2023-03-23 12:50

Summary

svg-sanitizer has Cross-site Scripting Bypass

Details

Update

In #88 we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected.

A bypass has been found that allows an attacker to upload an SVG with persistent XSS.

HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements.

Any data within a CDATA node will now be sanitised using HTMLPurifier. We've also removed many of the HTML and MathML elements from the allowed element list, as without ForiegnObject, they're not legal within the SVG context.

Additional tests have been added to the test suite to account for these new bypasses.

Impact

This impacts all users of the svg-sanitizer library.

Patches

This issue is fixed in 0.16.0 and higher.

Workarounds

There is currently no workaround available without upgrading.

For more information

If you have any questions or comments about this advisory:

Open an issue in Github Email us at daryll@enshrined.co.uk

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "enshrined/svg-sanitize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-20T20:44:30Z",
    "nvd_published_at": "2023-03-20T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Update\nIn [#88](https://github.com/darylldoyle/svg-sanitizer/issues/88) we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected.\n\n___\n\nA bypass has been found that allows an attacker to upload an SVG with persistent XSS.\n\nHTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn\u0027t seeing them as DOM elements.\n\nAny data within a CDATA node will now be sanitised using [HTMLPurifier](https://github.com/ezyang/htmlpurifier). We\u0027ve also removed many of the HTML and MathML elements from the allowed element list, as without `ForiegnObject`, they\u0027re not legal within the SVG context. \n\nAdditional tests have been added to the test suite to account for these new bypasses.\n\n### Impact\nThis impacts all users of the `svg-sanitizer` library.\n\n### Patches\nThis issue is fixed in 0.16.0 and higher.\n\n### Workarounds\nThere is currently no workaround available without upgrading.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [Github](https://github.com/darylldoyle/svg-sanitizer/issues)\nEmail us at [daryll@enshrined.co.uk](mailto:daryll@enshrined.co.uk)",
  "id": "GHSA-xrqq-wqh4-5hg2",
  "modified": "2023-03-23T12:50:28Z",
  "published": "2023-03-20T20:44:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-xrqq-wqh4-5hg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/issues/88"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/commit/cce18bc237c05c6e093e9672db7926788da9b322"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/darylldoyle/svg-sanitizer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "svg-sanitizer has Cross-site Scripting Bypass",
  "withdrawn": "2023-03-23T12:50:28Z"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-28426 (GCVE-0-2023-28426)

FKIE_CVE-2023-28426

GSD-2023-28426

GHSA-XRQQ-WQH4-5HG2

Update

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature