TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer

Categories: Development, Security, TYPO3 CMS Created by Oliver Hader
Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy.
  • Component Type: TYPO3 CMS
  • Subcomponent: SVG Sanitizer (based on enshrined/svg-sanitize)
  • Release Date: February 22nd, 2022
  • Impact: Cross-Site Scripting
  • Affected Versions: All LTS (v11, v10) & ELTS (v9, v8, v7)
  • Type: Advisory
  • References: CVE-2022-23638

Problem Description

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

Example A: SVG file fetched directly (mime-type image/svg+xml)

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
    <!--><img src onerror=alert(1)><!-->
    <![CDATA[ ><img src onerror=alert(2)> ]]>
</svg> 

The example above is not considered a vulnerability, since <img> is not evaluated in this context.

Example B: SVG embedded in HTML (mime-type text/html)

<html><body>
<div>
    <svg xmlns="http://www.w3.org/2000/svg">
        <!--><img src onerror=alert(1)><!-->
        <![CDATA[ ><img src onerror=alert(2)> ]]>
    </svg> 
</div>
</body></html>

The example above shows a vulnerable scenario, since both nested <img> occurrences break out of the SVG context and get interpreted in the embedding HTML context.

Examples were extracted from https://github.com/darylldoyle/svg-sanitizer/issues/71.

Solution

In case SVG markup is embedded inline in HTML markup - please upgrade those projects to TYPO3 versions 11.5.7 LTS, 10.4.25 LTS, 9.5.33 ELTS, 8.7.45 ELTS or 7.6.56 ELTS which use an upgraded version of the third-party SVG sanitizer library.

General Advice

Follow the recommendations given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.