This issue has been addressed by improved handling of SVG files through the plugin's option for user input. In order to check if your site is vulnerable, visit your site's Dashboard and enter the following into the Search bar: svg onload="alert(this.attr('data-svg-src'));">. If a red box is displayed, this means that your site is vulnerable. The easiest way to protect yourself from this type of XSS is to disable the SVG Support plugin.

HTML5 Element CVE-2022-1756

This issue has been addressed by improved handling of SVG files through the plugin's option for user input. In order to check if your site is vulnerable, visit your site's Dashboard and enter the following into the Search bar: svg onload="alert(this.attr('data-svg-src'));">. If a red box is displayed, this means that your site is vulnerable. The easiest way to protect yourself from this type of XSS is to disable the SVG Support plugin.

XSS with HTML attributes

Cross-site scripting (XSS) is a computer security vulnerability that allows unauthorized remote attackers to inject client-side scripts into otherwise trusted web pages, typically by way of a web application's HTML response.
If an attacker is able to inject malicious JavaScript code in the target site, they could then steal cookie-based authentication credentials and use them on other sites without the user's knowledge. This could then lead to a breach of the site, which often results in disclosure of private data.
By using CSS or inline JavaScript in forms, input fields, and other HTML attributes, it is possible for an attacker to bypass input validation measures implemented by the browser and inject client-side script into the page. This can lead to cross-site scripting vulnerabilities like session fixation, cross-site request forgery, clickjacking, etc. In addition to XSS vulnerabilities found with HTML attributes such as style sheets and inline scripts on form element attributes, attackers may also be able to exploit stored XSS vulnerabilities embedded within HTML documents themselves.

Timeline

Published on: 09/26/2022 13:15:00 UTC
Last modified on: 09/28/2022 14:24:00 UTC

References