Skip to content

v3.7.9

Choose a tag to compare

@awcodes awcodes released this 06 Jul 16:06

Security

Backports the fix for a stored XSS vulnerability (CWE-79, CVSS 5.4 Moderate): SVG files
uploaded through the Curator panel were served inline without sanitization, allowing embedded
JavaScript to execute in the application's origin when a user opened the file via the
View action. SVG uploads are now sanitized (scripts, event handlers, and remote
references stripped) before being written to storage.

After upgrading, run php artisan curator:sanitize-svgs to clean any SVGs uploaded before
this release (use --dry-run to preview first).

See the security advisory for full details:
GHSA-8vm9-f75m-5h2m

Dependencies

  • Added enshrined/svg-sanitize.

Full Changelog: v3.7.8...v3.7.9