CVE-2023-36823Cross-site Scripting in Project Sanitize

CWE-79Cross-site Scripting7 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 38.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Sanitize Project SanitizeDebian Ruby-sanitizeRgrove Sanitize+1 more
Timeline
PublishedJul 6
Latest updateApr 24

Description

Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. San

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

debiandebian/ruby-sanitize< ruby-sanitize 6.0.0-1.1+deb12u1 (bookworm)
NVDsanitize_project/sanitize3.0.06.0.2
RubyGemssanitize_project/sanitize3.0.06.0.2
CVEListV5rgrove/sanitize>= 3.0.0, < 6.0.2

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
ruby-sanitize vulnerabilities2024-04-24
GHSA
Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content2023-07-06
OSV
Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content2023-07-06
OSV
CVE-2023-36823: Sanitize is an allowlist-based HTML and CSS sanitizer2023-07-06

📋Vendor Advisories

2
Ubuntu
Sanitize vulnerabilities2024-04-24
Debian
CVE-2023-36823: ruby-sanitize - Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted i...2023