drupal/canvas is vulnerable to Unrestricted Upload of File with Dangerous Type
42
Medium Risk
The Canvas module allows image uploads via a custom API but only validates file extensions, not MIME types. A malicious user may upload non-image files disguised with image extensions. Depending on web server configuration, those files may be served with their actual MIME type rather than an image type, which could lead to cross-site scripting (XSS) or other unexpected behavior.
You are affected if you are using a version that falls within the vulnerable range.
drupal/canvas is vulnerable to Unrestricted Upload of File with Dangerous Type in versions 0.0.1 - 1.4.1, 1.5.0 - 1.5.1, 1.6.0 - 1.6.0 and 1.7.0 - 1.7.0.
Upgrade the drupal/canvas library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant