CVE-2023-23627

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23627
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23627.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-23627
Aliases
Downstream
Published
2023-01-27T23:44:17Z
Modified
2025-10-22T18:35:27.872217Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Sanitize vulnerable to Cross-site Scripting via Improper neutralization of `noscript` element
Details

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows noscript elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/rgrove/sanitize

Affected ranges

Type
GIT
Repo
https://github.com/rgrove/sanitize
Events
Introduced
424f02f4fd279e650117d32388d0840097dbc4c9
Fixed
a92f21cd223a32a1737262d68e56a4fb8b9470f9

Affected versions

v5.*

v5.0.0
v5.1.0
v5.2.0
v5.2.1
v5.2.2
v5.2.3

v6.*

v6.0.0