GHSA-f5ww-cq3m-q3g7

Suggest an improvement
Source
https://github.com/advisories/GHSA-f5ww-cq3m-q3g7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f5ww-cq3m-q3g7/GHSA-f5ww-cq3m-q3g7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f5ww-cq3m-q3g7
Aliases
Published
2023-07-06T19:45:44Z
Modified
2023-11-14T18:46:47.726856Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content
Details

Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize >= 3.0.0, < 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows style elements and one or more CSS at-rules. This could result in XSS (cross-site scripting) or other undesired behavior when the malicious HTML and CSS are rendered in a browser.

Patches

Sanitize >= 6.0.2 performs additional escaping of CSS in style element content, which fixes this issue.

Workarounds

Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow style elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence </ as <\/ in style element content.

Credit

This issue was found by @cure53 during an audit of a project that uses Sanitize and was reported by one of that project's maintainers. Thank you!

Database specific
{
    "nvd_published_at": "2023-07-06T16:15:10Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T19:45:44Z"
}
References

Affected packages

RubyGems / sanitize

Package

Name
sanitize
Purl
pkg:gem/sanitize

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
6.0.2

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0
3.1.1
3.1.2

4.*

4.0.0
4.0.1
4.1.0
4.2.0
4.3.0
4.4.0
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6

5.*

5.0.0
5.1.0
5.2.0
5.2.1
5.2.2
5.2.3

6.*

6.0.0
6.0.1