SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc

xml2rfc allows script elements in SVG sources.
In HTML output having these script elements can lead to XSS attacks.

Sample XML snippet:

<artwork type="svg" src="data:image/svg+xml,%3Csvg viewBox='0 0 10 10' xmlns='http://www.w3.org/2000/svg'%3E%3Cscript%3E window.alert('Test Alert'); %3C/script%3E%3C/svg%3E">
</artwork>

Impact

This vulnerability impacts website that publish HTML drafts and RFCs.

Patches

This has been fixed in version 3.12.4.

Workarounds

If SVG source is self-contained within the XML, scraping script elements from SVG files.

References

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script

For more information

If you have any questions or comments about this advisory:

Open an issue in xml2rfc
Email us at [email protected]
Infrastructure and Services Vulnerability Disclosure

References

GHSA-cf4q-4cqr-7g7w

kesara published to ietf-tools/xml2rfc Apr 12, 2022

Published to the GitHub Advisory Database Apr 22, 2022

Reviewed Apr 22, 2022

Last updated Jan 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

Weaknesses

CVE ID

GHSA ID

Source code