SVG documents - Fluid Topics - 3.11

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
3.11

In the SVG documents section of the Security administration interface, users with the ADMIN role can configure a toggle to prevent privilege escalation attacks.

A privilege escalation attack can occur in the following circumstances:

  1. A user with the KHUB_ADMIN or CONTENT_PUBLISHER role uploads an SVG document.
  2. A user with the ADMIN, USERS_ADMIN and/or PORTAL_ADMIN role views that document in the Viewer page or previews it in the Search page.
  3. The user with the KHUB_ADMIN or CONTENT_PUBLISHER role injects JavaScript into the SVG document to obtain rights reserved for users with the ADMIN, USERS_ADMIN and/or PORTAL_ADMIN role.

SVG documents include all unstructured documents, map attachments and resources with the mime type image/svg+xml.

When the toggle is enabled, Fluid Topics does not display scripts in the SVG document directly in the portal. Users who download the SVG document can read the scripts locally on their machines.

Disabling the toggle makes the portal vulnerable to privilege escalation attacks.