CVE-2019-18857 Information
Feb 14, 2021
cve
Description
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes as demonstrated by unexpected whitespace such as in the javascript&9;:alert substring.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Reference
https://github.com/darylldoyle/svg-sanitizer/commit/51ca4b713f3706d6b27769c6296bbc0c28a5bbd0 https://github.com/darylldoyle/svg-sanitizer/compare/0.11.0…0.12.0
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
NONE
Base Severity
7.5
Share on: