Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
@dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options
Vulnerability Description
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. Starting in versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, all affected SVG attribute values are properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. Some mitigating factors limit vulnerability. Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected. The DiceBear CLI validates input via AJV and was not vulnerable. Exploitation requires that an application passes untrusted, unvalidated external input directly as option values.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
DiceBear 跨站脚本漏洞
Vulnerability Description
DiceBear是DiceBear开源的一个随机头像生成库。 DiceBear 5.0.0至5.4.4之前版本、6.1.4之前版本、7.1.4之前版本、8.0.3之前版本和9.4.1之前版本存在跨站脚本漏洞,该漏洞源于用户提供的SVG属性值未进行XML转义,可能导致跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A