CVE-2023-40013: 
JavaScript vulnerability analysis and mitigation

SVG Loader, a JavaScript library that fetches SVGs using XMLHttpRequests and injects SVG code, contains a Cross-site Scripting (XSS) vulnerability in versions up to 1.6.8. The vulnerability was discovered and disclosed in August 2023, affecting any website that uses external-svg-loader and allows users to provide SVG sources or upload SVG files (GitHub Advisory).

The vulnerability stems from insufficient input sanitization logic in the SVG Loader library. While the library attempts to strip JavaScript code before injecting SVG files for security reasons, the sanitization process only removes certain event attributes like 'onmouseover' and 'onclick', but the list of events is not exhaustive. The vulnerability allows attackers to bypass security measures using unlisted event attributes such as 'onafterscriptexecute', 'onbeforecopy', 'onbeforecut', and others. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) by NVD and 7.1 (HIGH) by GitHub (NVD).

The vulnerability enables attackers to execute arbitrary JavaScript code through crafted SVG files, potentially leading to Cross-site Scripting (XSS) attacks. Any website that uses external-svg-loader and allows users to provide SVG sources or upload SVG files is susceptible to stored XSS attacks (GitHub Advisory).

The vulnerability has been patched in version 1.6.9 of the library through commit d3562fc08. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Patch).