CVE-2023-44383

Description

### Impact A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the `svg` extension from the list of supported file types. ### Patches The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the **config/media.php** file. ``` 'clean_vectors' => true, ``` ### Workarounds If you cannot upgrade for this patch, follow the pervious advice and remove `svg` from the supported file types. ### References - https://github.com/octobercms/october/blob/3.x/config/media.php Credits to: - Faris Krivic - Okan Kurtulus - Aldin Visnjic - Bug Shankar ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

Affected packages (1)

• Packagist/october/system>= 3.0.0, < 3.5.2

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-44383
• PATCHhttps://github.com/octobercms/october
• WEBhttps://github.com/octobercms/october/commit/b7eed0bbf54d07ff310fcdc7037a8e8bf1f5043b
• WEBhttps://github.com/octobercms/october/security/advisories/GHSA-rvx8-p3xp-fj3p