CVE-2018-3740 — Cross-site Scripting in Grove Sanitize

CWE-79 — Cross-site Scripting CWE-20 — Improper Input Validation8 documents5 sources

Severity

7.5HIGHNVD

OSV5.6

EPSS

0.3%

top 51.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ryan Grove Sanitize Sanitize Project Sanitize Debian Ruby-sanitize

Timeline

PublishedMar 30

Latest updateAug 14

Description

A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/ruby-sanitize< ruby-sanitize 4.6.6-1 (bookworm)

▶CVEListV5ryan_grove/sanitize< 4.6.3

▶RubyGemssanitize_project/sanitize3.0.0 — 4.6.3

▶NVDsanitize_project/sanitize4.6.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

linux-hwe, linux-azure, linux-gcp vulnerabilities↗2018-08-14

▶

OSV

CVE-2018-3740: A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element↗2018-03-30

▶

GHSA

Sanitize vulnerable to Improper Input Validation and Cross-site Scripting↗2018-03-21

▶

OSV

Sanitize vulnerable to Improper Input Validation and Cross-site Scripting↗2018-03-21

▶

📋Vendor Advisories

Debian

CVE-2018-3740: ruby-sanitize - A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-w...↗2018

▶

💬Community

Bugzilla

CVE-2018-3740 rubygem-sanitize: Improper filtering by libxml2 allows for cross-site scripting (XSS) [fedora-all]↗2018-03-22

▶

Bugzilla

CVE-2018-3740 rubygem-sanitize: Improper filtering by libxml2 allows for cross-site scripting (XSS)↗2018-03-22

▶