CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Using carefully crafted input, an attacker may be able to sneak
arbitrary HTML and CSS through Sanitize >= 3.0.0, < 6.0.2
when
Sanitize is configured to use the built-in “relaxed” config or
when using a custom config that allows style
elements and one
or more CSS at-rules. This could result in XSS (cross-site scripting)
or other undesired behavior when the malicious HTML and CSS are
rendered in a browser.
Sanitize >= 6.0.2
performs additional escaping of CSS in style
element content, which fixes this issue.
Users who are unable to upgrade can prevent this issue by using a
Sanitize config that doesn’t allow style
elements, using a Sanitize
config that doesn’t allow CSS at-rules, or by manually escaping the
character sequence </
as <\/
in style
element content.
This issue was found by @cure53 during an audit of a project that
uses Sanitize and was reported by one of that project’s maintainers.
Thank you!