CVE-2019-25225

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-25225

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25225.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-25225

Aliases

GHSA-qhxp-v273-g94h

Downstream

UBUNTU-CVE-2019-25225

Published

2025-09-08T10:15:33.440Z

Modified

2025-11-20T11:02:25.044561Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

References

Affected packages

Git / github.com/apostrophecms/sanitize-html

Affected ranges

Type: GIT
Repo: https://github.com/apostrophecms/sanitize-html
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

712cb6895825c8bb6ede71a16b42bade42abcaf3

Affected versions

1.*

1.10.1

1.11.0

1.11.1

1.11.4

1.18.2

1.18.3

1.18.4

1.18.5

1.19.0

1.19.1

1.19.2

1.19.3

1.20.0

1.21.0

1.21.1

1.22.0

v1.*

v1.5.2

v1.7.0

v1.7.1

v1.7.2

v1.8.0

v1.9.0