logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-4054 sanitize

Package

Manager: gem
Name: sanitize
Vulnerable Version: >=3.0.0 <5.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00484 pctl0.64331

Details

Cross-site Scripting in Sanitize When HTML is sanitized using Sanitize's "relaxed" config or a custom config that allows certain elements, some content in a `<math>` or `<svg>` element may not be sanitized correctly even if `math` and `svg` are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: - `iframe` - `math` - `noembed` - `noframes` - `noscript` - `plaintext` - `script` - `style` - `svg` - `xmp` ### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. ### Releases This problem has been fixed in Sanitize 5.2.1. ### Workarounds If upgrading is not possible, a workaround is to override the default value of Sanitize's `:remove_contents` config option with the following value, which ensures that the contents of `math` and `svg` elements (among others) are removed entirely when those elements are not in the allowlist: ```ruby %w[iframe math noembed noframes noscript plaintext script style svg xmp] ``` For example, if you currently use Sanitize's relaxed config, you can create a custom config object that overrides the default value of `:remove_contents` like this: ```ruby custom_config = Sanitize::Config.merge( Sanitize::Config::RELAXED, :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp] ) ``` You would then pass this custom config to Sanitize when sanitizing HTML. ### For more information If you have any questions or comments about this advisory: - Open an issue in the [Sanitize repo](https://github.com/rgrove/sanitize). - See Sanitize's [security policy](https://github.com/rgrove/sanitize/security/policy). ### Credits Many thanks to Michal Bentkowski of Securitum for reporting this bug and helping to verify the fix. ### References - [GHSA-p4x4-rw2p-8j8m](https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m) - [CVE-2020-4054](https://nvd.nist.gov/vuln/detail/CVE-2020-4054) - https://github.com/rgrove/sanitize/releases/tag/v5.2.1

Metadata

Created: 2020-06-16T22:08:06Z
Modified: 2023-05-16T16:18:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-p4x4-rw2p-8j8m/GHSA-p4x4-rw2p-8j8m.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-p4x4-rw2p-8j8m
Finding: F008
Auto approve: 1