MantisBT: master-2.25 26676219

Author Committer Branch Timestamp Parent
dregad dregad master-2.25 2022-06-15 12:28 master-2.25 262ecdde
Affected Issues  0029135: CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection

Disable SVG files upload by default

SVG files are not just images, they are XML files and as such could
contain inline CSS or scripting which could be used as attack vector
for stored XSS.

Devendra Bhatla and Febin Mon Saji <> both and
independently reported this vulnerability.

Fixes 0029135, CVE-2022-33910

mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/uploads.xml Diff File