When potential security holes are discovered in SilverStripe's supported modules, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (check our security release process). All releases are available on our download page, and are announced on our forums (register to subscribe). Vulnerabilities in releases are disclosed here. Please subscribe to our security release RSS feed and pre-announcement mailing list to stay updated.
SS-2016-017: SVG Uploads
- Low (?)
- Versions Affected:
- Versions Fixed:
SVG Images uploads can execute arbitrary scripts, and introduces the risk of XSS.
Upload of files with the .svg extension will be disabled by default.
Discovered by SEC Consult Singapore Pte. Ltd. (https://www.sec-consult.com/)