UBUNTU-CVE-2023-23627

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2023-23627
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-23627.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-23627
Related
Published
2023-01-28T00:15:00Z
Modified
2023-01-28T00:15:00Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows noscript elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.

References

Affected packages

Ubuntu:20.04:LTS / ruby-sanitize

Package

Name
ruby-sanitize
Purl
pkg:deb/ubuntu/ruby-sanitize?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.6.6-2.1~0.20.04.2

Affected versions

4.*

4.6.6-2
4.6.6-2.1~0.20.04.1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "4.6.6-2.1~0.20.04.2",
            "binary_name": "ruby-sanitize"
        }
    ]
}

Ubuntu:22.04:LTS / ruby-sanitize

Package

Name
ruby-sanitize
Purl
pkg:deb/ubuntu/ruby-sanitize?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0-1ubuntu0.1

Affected versions

5.*

5.2.1-2
5.2.3-1

6.*

6.0.0-1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "6.0.0-1ubuntu0.1",
            "binary_name": "ruby-sanitize"
        }
    ]
}