-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2023-36823.yml
48 lines (40 loc) · 1.61 KB
/
CVE-2023-36823.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
gem: sanitize
cve: 2023-36823
ghsa: f5ww-cq3m-q3g7
url: https://github.com/rgrove/sanitize/releases/tag/v6.0.2
title: Sanitize vulnerable to Cross-site Scripting via insufficient
neutralization of `style` element content
date: 2023-07-06
description: |
### Impact
Using carefully crafted input, an attacker may be able to sneak
arbitrary HTML and CSS through Sanitize `>= 3.0.0, < 6.0.2` when
Sanitize is configured to use the built-in "relaxed" config or
when using a custom config that allows `style` elements and one
or more CSS at-rules. This could result in XSS (cross-site scripting)
or other undesired behavior when the malicious HTML and CSS are
rendered in a browser.
### Patches
Sanitize `>= 6.0.2` performs additional escaping of CSS in `style`
element content, which fixes this issue.
### Workarounds
Users who are unable to upgrade can prevent this issue by using a
Sanitize config that doesn't allow `style` elements, using a Sanitize
config that doesn't allow CSS at-rules, or by manually escaping the
character sequence `</` as `<\/` in `style` element content.
### Credit
This issue was found by @cure53 during an audit of a project that
uses Sanitize and was reported by one of that project's maintainers.
Thank you!
cvss_v3: 7.1
unaffected_versions:
- "< 3.0.0"
patched_versions:
- ">= 6.0.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2023-36823
- https://github.com/rgrove/sanitize/releases/tag/v6.0.2
- https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220
- https://github.com/advisories/GHSA-f5ww-cq3m-q3g7