Skip to content

v5.1.2

Latest

Choose a tag to compare

@awcodes awcodes released this 06 Jul 16:08

Security

Fixes a stored XSS vulnerability (CWE-79, CVSS 5.4 Moderate): SVG files uploaded through the
Curator panel were served inline without sanitization, allowing embedded JavaScript to
execute in the application's origin when a user opened the file via the View action. SVG
uploads are now sanitized (scripts, event handlers, and remote references stripped) before
being written to storage.

After upgrading, run php artisan curator:sanitize-svgs to clean any SVGs uploaded before
this release (use --dry-run to preview first).

See the security advisory for full details:
GHSA-8vm9-f75m-5h2m

Maintenance

  • Added enshrined/svg-sanitize as a dependency.