GHSA-f5ww-cq3m-q3g7

Source

https://github.com/advisories/GHSA-f5ww-cq3m-q3g7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f5ww-cq3m-q3g7/GHSA-f5ww-cq3m-q3g7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f5ww-cq3m-q3g7

Aliases

CVE-2023-36823

Published

2023-07-06T19:45:44Z

Modified

2024-02-16T07:55:20.893240Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVSS Calculator

Summary

Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content

Details

Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize >= 3.0.0, < 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows style elements and one or more CSS at-rules. This could result in XSS (cross-site scripting) or other undesired behavior when the malicious HTML and CSS are rendered in a browser.

Patches

Sanitize >= 6.0.2 performs additional escaping of CSS in style element content, which fixes this issue.

Workarounds

Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow style elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence </ as <\/ in style element content.

Credit

This issue was found by @cure53 during an audit of a project that uses Sanitize and was reported by one of that project's maintainers. Thank you!

References

Affected packages

RubyGems / sanitize

Package

Name: sanitize
Purl: pkg:gem/sanitize

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

6.0.2

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.1.1

3.1.2

4.*

4.0.0

4.0.1

4.1.0

4.2.0

4.3.0

4.4.0

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.6.5

4.6.6

5.*

5.0.0

5.1.0

5.2.0

5.2.1

5.2.2

5.2.3

6.*

6.0.0

6.0.1