Headline
CVE-2022-39390: User-supplied images can inject executable JavaScript
Octocat.js is a library used to render a set of options into an SVG. Versions prior to 1.2 are subject to JavaScript injection via user provided URLs. Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. This vulnerability was fixed in version 1.2 of octocat.js. As a workaround, writing an image to disk then using that image in an image element in HTML mitigates the risk.
Impact
Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code.
Patches
This vulnerability was fixed in version 1.2 of octocat.js
Workarounds
Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk.
References
To render the file correctly, see documentation at readme.md
For more information
If you have any questions or comments about this advisory:
- Open an issue in the octo.js repository
Related news
### Impact Users can include their own images for accessories via provided URLs. These URLs are not validated and can result in execution of injected code. ### Patches This vulnerability was fixed in version 1.2 of octocat.js ### Workarounds Directly exposing rendered images to a website can introduce the vulnerability to users. To avoid, writing an image to disk then using that image in an image element in HTML mitigates the risk. ### References To render the file correctly, see documentation at `readme.md` ### For more information If you have any questions or comments about this advisory: * Open an issue in [the octo.js repository](http://github.com/octocademy/octocat.js/issues)