CVE-2023-23627Cross-site Scripting in Project Sanitize

CWE-79Cross-site Scripting7 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 36.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Sanitize Project SanitizeDebian Ruby-sanitizeRgrove Sanitize
Timeline
PublishedJan 28
Latest updateApr 24

Description

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are u

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

debiandebian/ruby-sanitize< ruby-sanitize 6.0.0-1.1 (bookworm)
NVDsanitize_project/sanitize5.0.06.0.1
RubyGemssanitize_project/sanitize5.0.06.0.1
CVEListV5rgrove/sanitize>= 5.0.0, < 6.0.1

🔴Vulnerability Details

4
OSV
ruby-sanitize vulnerabilities2024-04-24
OSV
CVE-2023-23627: Sanitize is an allowlist-based HTML and CSS sanitizer2023-01-28
GHSA
Improper neutralization of `noscript` element content may allow XSS in Sanitize2023-01-28
OSV
Improper neutralization of `noscript` element content may allow XSS in Sanitize2023-01-28

📋Vendor Advisories

2
Ubuntu
Sanitize vulnerabilities2024-04-24
Debian
CVE-2023-23627: ruby-sanitize - Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later,...2023