GHSA-8j9v-h2vp-2hhv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8j9v-h2vp-2hhv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-8j9v-h2vp-2hhv/GHSA-8j9v-h2vp-2hhv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8j9v-h2vp-2hhv
- Aliases
- Published
- 2021-01-04T18:22:11Z
- Modified
- 2024-02-17T05:34:17.750520Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- XSS in HtmlSanitizer
- Details
-
Impact
If you have explicitly allowed the
<style>tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the<style>tag so there is no risk if you have not explicitly allowed the<style>tag.Patches
The problem has been fixed in version 5.0.372.
Workarounds
Remove the
<style>tag from the set of allowed tags.For more information
If you have any questions or comments about this advisory open an issue in https://github.com/mganss/HtmlSanitizer
Credits
This issue was discovered by Michal Bentkowski of Securitum.
- Database specific
{ "nvd_published_at": "2021-01-04T19:15:00Z", "cwe_ids": [ "CWE-74", "CWE-79" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-01-04T18:21:52Z" }- References
-
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
- https://nvd.nist.gov/vuln/detail/CVE-2020-26293
- https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
- https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
- https://www.nuget.org/packages/HtmlSanitizer
Affected packages
NuGet / HtmlSanitizer
Package
- Name
- HtmlSanitizer
- View open source insights on deps.dev
- Purl
- pkg:nuget/HtmlSanitizer
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.372
Affected versions
1.*
1.0.4925.29815
1.0.4927.30873
1.1.5243.28448
1.1.5297.28403
1.1.5338.17998
2.*
2.0.5449.20550
2.0.5548.24932
2.0.5595.22183
2.0.5595.30325
2.0.5623.30465
2.0.5735.24296
3.*
3.0.66-beta
3.0.5781.31354-beta
3.1.67-beta
3.1.75-beta
3.1.76
3.1.79
3.1.91
3.1.93
3.1.98
3.2.96-beta
3.2.100-beta
3.2.103
3.2.105
3.3.122-beta
3.3.125-beta
3.3.126-beta
3.3.127-beta
3.3.128-beta
3.3.129-beta
3.3.130-beta
3.3.131-beta
3.3.132-beta
3.3.142
3.3.143-beta
3.3.144-beta
3.3.145-beta
3.3.146-beta
3.3.147-beta
3.3.148-beta
3.4.152-beta
3.4.156
3.5.168-beta
3.5.169-beta
4.*
4.0.179
4.0.180
4.0.181
4.0.182
4.0.183
4.0.185
4.0.187
4.0.197
4.0.199
4.0.201
4.0.204
4.0.205
4.0.207
4.0.210
4.0.217
5.*
5.0.215-beta
5.0.218-beta
5.0.250-beta
5.0.266-beta
5.0.274-beta
5.0.298
5.0.304
5.0.310
5.0.319
5.0.331
5.0.342
5.0.343
5.0.353
5.0.355