It was discovered that there was a potential cross-site scripting (XSS) in ruby-sanitize, a whitelist-based HTML sanitizer.
Using carefully crafted input, an attacker may have be able to sneak
arbitrary HTML and CSS through Sanitize when configured to use the built-in
relaxed config or when using a custom config that allowed
style elements and one or more CSS "at"-rules. This could have
resulted in cross-site scripting (XSS) or other undesired behavior if the
malicious HTML and CSS were then rendered in a browser.
styleelements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in
styleelement content, which fixes this issue.
For Debian 10 Buster, this problem has been fixed in version 4.6.6-2.1~deb10u2.
We recommend that you upgrade your ruby-sanitize packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS