GHSA-rm97-x556-q36h

Suggest an improvement
Source
https://github.com/advisories/GHSA-rm97-x556-q36h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-rm97-x556-q36h/GHSA-rm97-x556-q36h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-rm97-x556-q36h
Aliases
Published
2024-02-24T06:30:17Z
Modified
2024-08-28T21:58:16Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
sanitize-html Information Exposure vulnerability
Details

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

Database specific 
{
    "nvd_published_at": "2024-02-24T05:15:44Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-538"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-01T16:55:53Z"
}
References

Affected packages

npm / sanitize-html

Package

Name
sanitize-html
View open source insights on deps.dev
Purl
pkg:npm/sanitize-html

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.1