漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
rhukster/dom-sanitizer: SVG <style> tag allows CSS injection via unfiltered url() and @import directives
Vulnerability Description
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() references and @import rules pass through unfiltered, causing the browser to issue HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered. Version 1.0.10 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
DOMSanitizer 安全漏洞
Vulnerability Description
DOMSanitizer是Andy Miller个人开发者的一个DOM(文档对象模型)的安全性操作或过滤器。 DOMSanitizer 1.0.10之前版本存在安全漏洞,该漏洞源于对SVG中style元素内容检查不足,可能导致浏览器向攻击者控制的主机发起HTTP请求。
CVSS Information
N/A
Vulnerability Type
N/A