If you were to download this image and open it in a plain text editor instead of an image editor, you would see that consists of XML markup, which can include arbitrary content:
This represents a potential vulnerability, but it is not as serious as an attack that will fire as soon as the page is loaded, as a directly rendered image would. One of the best ways to stop this attack completely would be to disallow image tags and image uploads completely. Mime type checking is not enough to detect this attack, as the hostile SVG image only identifies itself as an SVG image. If image uploads must be allowed as a necessary feature, implementing controls such as forcibly converting SVG images to a JPG or PNG file type, or disallowing SVG image uploads entirely would provide a way to avoid this attack.
However, if SVG images are required as an absolutely necessary feature of an application, there are steps to more safely allow for SVG uploads. The first way is to avoid rendering the image on the site, instead requiring it to be downloaded. You can do so by setting the content-disposition attribute to attachment, which the browser will process by asking to save the file instead of rendering it on the site.
Hopefully this article provides both insights into an unusual attack vector for Cross-Site Scripting attacks, as well as techniques for defense in depth against them.