Headline
CVE-2023-36828: Release v4.10.0 · statamic/cms
Statamic is a flat-first, Laravel and Git powered content management system. Prior to version 4.10.0, the SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform cross-site scripting attacks using SVG, even when using the sanitize function. Version 4.10.0 contains a patch for this issue.
Skip to content
Sign up
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Case Studies
- Customer Stories
- Resources
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
Pricing
In this repository All GitHub
No suggested jump to results
In this repository All GitHub
In this organization All GitHub
In this repository All GitHub
Sign in
Sign up
statamic / cms Public
- Notifications
- Fork 393
- Star 2.8k
- Code
- Issues 437
- Pull requests 51
- Discussions
- Actions
- Projects
- Security
- Insights
More
- Releases
- v4.10.0
Latest
Latest
Compare
Choose a tag to compare
github-actions released this
05 Jul 16:34
v4.10.0
5261b3b
What’s new
- Added sanitize param to the svg tag. #8408 by @jasonvarga
What’s improved
- French translations. #8388 by @ebeauchamps
What’s fixed
- Bring back the password reset link for non-OAuth sites. #8396 by @jackmcdade
- Add some missing translation calls. #8387 by @ebeauchamps
Contributors
jackmcdade, jasonvarga, and ebeauchamps
Assets 4
Related news
Antlers sanitizer cannot effectively sanitize malicious SVG ### Summary The SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the `sanitize` function. ### Details Regarding the previous discussion mentioned [here](https://github.com/statamic/cms/security/advisories/GHSA-jvw9-rrc5-39g6#advisory-comment-84322), it has been identified that the default blacklist in the **FilesFieldtypeController** (located at this [link](https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15)) only blocks certain file extensions such as php, php3, php4, php5, and phtml. This allows a malicious user to upload a manipulated SVG file disguised as a social media icon, potentially triggering an XSS vulnerability. ### PoC Screenshot ![image](https://user-images.githubusercontent.com/17494868/251093022-15f949e9-2014-4069-850b-8...