CVE-2020-11070

MEDIUM

TYPO3 SVG Sanitizer < 1.0.3 - Cross-Site Scripting via Invalid SVG Markup

Title source: llm

Description

The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability in versions before 1.0.3. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. This is fixed in version 1.0.3.

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/TYPO3GmbH/svg_sanitizer/security/advisories/GHSA-59cf-m7v5-wh5w

Scores

CVSS v3 5.4

EPSS 0.0021

EPSS Percentile 42.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

t3g/svg-sanitizer 0 - 1.0.3Packagist

typo3/svg_sanitizer < 1.0.3

Published May 13, 2020

Tracked Since Feb 18, 2026