Skip to content

Stored XSS via improper sanitization of SVG uploads

Low
nattsw published GHSA-w5mv-4pjf-xj43 Apr 18, 2023

Package

No package listed

Affected versions

stable <= 3.0.2; beta <= 3.1.0.beta3; tests-passed <= 3.1.0.beta3

Patched versions

stable > 3.0.2; beta > 3.1.0.beta3; tests-passed > 3.1.0.beta3

Description

Impact

Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file.

Patches

This issue is patched in the latest stable and tests-passed versions of Discourse.

Workarounds

Two possible workarounds: enable CDN handing of uploads (and ensure the CDN sanitizes SVG files) or disable SVG file uploads by ensuring that the authorized extensions site setting does not include svg (or reset that setting to the default, by default Discourse doesn't enable SVG uploads by users).

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2023-30538

Weaknesses

No CWEs

Credits