CVE-2019-10772: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

February 27, 2020 (updated August 19, 2021)

It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the “xlink:href” attribute due to mishandling of the xlink namespace by the sanitizer.

References

github.com/advisories/GHSA-8rc5-hx3v-2jg7
github.com/darylldoyle/svg-sanitizer/commit/6add43e5c5649bc40e3afcb68c522720dcb336f9
nvd.nist.gov/vuln/detail/CVE-2019-10772
snyk.io/vuln/SNYK-PHP-ENSHRINEDSVGSANITIZE-536969

Code Behaviors & Features

Detect and mitigate CVE-2019-10772 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →