Possible cross-site scripting attack via unsanitized SVG files in FoF Upload
Description
FriendsofFlarum (FoF) Upload is an extension that handles file uploads intelligently for your forum. If FoF Upload prior to version 1.2.3 is configured to allow the uploading of SVG files ('image/svg+xml'), navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service. This could allow data to be leaked by an authenticated Flarum user, or, possibly, for data to be modified maliciously. This issue has been patched with v1.2.3, which now sanitizes uploaded SVG files. As a workaround, remove the ability for users to upload SVG files through FoF Upload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fof/uploadPackagist | < 1.2.3 | 1.2.3 |
Affected products
2- Range: < 1.2.3
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of uploaded SVG files allows arbitrary JavaScript execution via embedded script elements or event handlers."
Attack vector
An attacker uploads a crafted SVG file containing embedded JavaScript (e.g., via `
Affected code
The vulnerability exists in the file upload handling logic within `src/Commands/UploadHandler.php`. Prior to the patch, uploaded SVG files were stored and served without any sanitization, allowing arbitrary SVG content including embedded JavaScript. The patch adds SVG sanitization using the `enshrined/svg-sanitize` library, introduces a new `SanitizerProvider` service provider, and creates custom allowed-tags/allowed-attrs classes (`src/Sanitizer/SvgAllowedAttrs.php`, `src/Sanitizer/SvgAllowedTags.php`) along with an `SvgSanitizer` extender (`src/Extend/SvgSanitizer.php`).
What the fix does
The patch adds a dependency on the `enshrined/svg-sanitize` library and integrates it into the upload handler. When an uploaded file has a MIME type starting with `image/svg`, the file contents are sanitized via `$this->sanitizer->sanitize()`, which strips disallowed tags, attributes, and remote references. If sanitization fails (returns `false`), a `ValidationException` is thrown and the upload is rejected. The sanitized content is then written back to the file, ensuring only safe SVG markup is stored and served.
Preconditions
- configFoF Upload must be configured to allow SVG file uploads (MIME type 'image/svg+xml')
- authThe attacker must be an authenticated Flarum user with upload permissions
- inputThe victim must navigate directly to the uploaded SVG file URI in a browser
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fm53-mpmp-7qw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30999ghsaADVISORY
- github.com/FriendsOfFlarum/upload/issues/68ghsax_refsource_MISCWEB
- github.com/FriendsOfFlarum/upload/pull/318ghsax_refsource_MISCWEB
- github.com/FriendsOfFlarum/upload/releases/tag/1.2.3ghsax_refsource_MISCWEB
- github.com/FriendsOfFlarum/upload/security/advisories/GHSA-fm53-mpmp-7qw2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.