- Component Type: TYPO3 CMS
- Subcomponent: SVG Sanitizer (based on enshrined/svg-sanitize)
- Release Date: February 22nd, 2022
- Impact: Cross-Site Scripting
- Affected Versions: All LTS (v11, v10) & ELTS (v9, v8, v7)
- Type: Advisory
- References: CVE-2022-23638
Problem Description
The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.
Example A: SVG file fetched directly (mime-type image/svg+xml)
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
<!--><img src onerror=alert(1)><!-->
<![CDATA[ ><img src onerror=alert(2)> ]]>
</svg>
The example above is not considered a vulnerability, since <img> is not evaluated in this context.
Example B: SVG embedded in HTML (mime-type text/html)
<html><body>
<div>
<svg xmlns="http://www.w3.org/2000/svg">
<!--><img src onerror=alert(1)><!-->
<![CDATA[ ><img src onerror=alert(2)> ]]>
</svg>
</div>
</body></html>
The example above shows a vulnerable scenario, since both nested <img> occurrences break out of the SVG context and get interpreted in the embedding HTML context.
Examples were extracted from https://github.com/darylldoyle/svg-sanitizer/issues/71.
Solution
In case SVG markup is embedded inline in HTML markup - please upgrade those projects to TYPO3 versions 11.5.7 LTS, 10.4.25 LTS, 9.5.33 ELTS, 8.7.45 ELTS or 7.6.56 ELTS which use an upgraded version of the third-party SVG sanitizer library.
General Advice
Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.