Lucene search

RubySecRUBY:SANITIZE-2023-36823

HistoryJul 05, 2023 - 9:00 p.m.

Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content

2023-07-0521:00:00

RubySec

github.com

sanitize

cross-site scripting

css at-rules

vulnerability

escaping

sanitize config

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

JSON

Impact

Using carefully crafted input, an attacker may be able to sneak
arbitrary HTML and CSS through Sanitize >= 3.0.0, < 6.0.2 when
Sanitize is configured to use the built-in “relaxed” config or
when using a custom config that allows style elements and one
or more CSS at-rules. This could result in XSS (cross-site scripting)
or other undesired behavior when the malicious HTML and CSS are
rendered in a browser.

Patches

Sanitize >= 6.0.2 performs additional escaping of CSS in style
element content, which fixes this issue.

Workarounds

Users who are unable to upgrade can prevent this issue by using a
Sanitize config that doesn’t allow style elements, using a Sanitize
config that doesn’t allow CSS at-rules, or by manually escaping the
character sequence </ as <\/ in style element content.

Credit

This issue was found by @cure53 during an audit of a project that
uses Sanitize and was reported by one of that project’s maintainers.
Thank you!

Affected configurations

Vulners

Node

rubysanitizeRange≤6.0.2

VendorProductVersionCPE
rubysanitize*cpe:2.3:a:ruby:sanitize:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	sanitize	*	cpe:2.3:a:ruby:sanitize::::::::

References

github.com/rgrove/sanitize/releases/tag/v6.0.2