DLA-3652-1

Import Source

https://storage.googleapis.com/debian-osv/dla-osv/DLA-3652-1.json

Related

• CVE-2023-36823

Published

2023-11-14T00:00:00Z

Modified

2023-11-14T11:17:49.076420Z

Details

It was discovered that there was a potential cross-site scripting (XSS) in ruby-sanitize, a whitelist-based HTML sanitizer.

Using carefully crafted input, an attacker may have be able to sneak arbitrary HTML and CSS through Sanitize when configured to use the built-in relaxed config or when using a custom config that allowed style elements and one or more CSS "at"-rules. This could have resulted in cross-site scripting (XSS) or other undesired behavior if the malicious HTML and CSS were then rendered in a browser.

• CVE-2023-36823 Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows style elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in style element content, which fixes this issue.

For Debian 10 Buster, this problem has been fixed in version 4.6.6-2.1~deb10u2.

We recommend that you upgrade your ruby-sanitize packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

• https://www.debian.org/lts/security/2023/dla-3652