CVE-2023-36823 – sanitize

Package

Manager: gem
Name: sanitize
Vulnerable Version: >=3.0.0 <6.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00332 pctl0.55421

Details

Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content ### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize `>= 3.0.0, < 6.0.2` when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in XSS (cross-site scripting) or other undesired behavior when the malicious HTML and CSS are rendered in a browser. ### Patches Sanitize `>= 6.0.2` performs additional escaping of CSS in `style` element content, which fixes this issue. ### Workarounds Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content. ### Credit This issue was found by @cure53 during an audit of a project that uses Sanitize and was reported by one of that project's maintainers. Thank you!

Metadata

Created: 2023-07-06T19:45:44Z
Modified: 2023-07-06T19:45:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f5ww-cq3m-q3g7/GHSA-f5ww-cq3m-q3g7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-f5ww-cq3m-q3g7
Finding: F008
Auto approve: 1