diff --git a/framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php b/framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php
index 3cc074cbd71..83ef1a5195e 100644
--- a/framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php
+++ b/framework/Mime_Viewer/lib/Horde/Mime/Viewer/Images.php
@@ -72,6 +72,9 @@ protected function _getType()
/* image/x-png == image/png. */
return 'image/png';
+ case 'image/svg+xml':
+ return 'application/octet-stream';
+
default:
return $type;
}
diff --git a/framework/Mime_Viewer/package.xml b/framework/Mime_Viewer/package.xml
index 65cf41b74c0..8ccd23a4f5d 100644
--- a/framework/Mime_Viewer/package.xml
+++ b/framework/Mime_Viewer/package.xml
@@ -21,7 +21,7 @@
LGPL-2.1
-*
+* [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).
@@ -1105,7 +1105,7 @@
2016-07-28
LGPL-2.1
-*
+* [jan] SECURITY: Don't render SVG images in the browser to avoid XSS attacks (Reported by Dawid Gounski via Beyond Security's SecuriTeam Secure Disclosure program).