CVE-2024-21501
published 2024-02-24CVE-2024-21501: Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.02%
59.0th percentile
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | sanitize-html | < 2.12.1 | 2.12.1 |
| apostrophecms | sanitize-html | >= 0 < 2.12.1 | 2.12.1 |
| debian | node-sanitize-html | < node-sanitize-html 2.13.0+~2.11.0-1 (forky) | node-sanitize-html 2.13.0+~2.11.0-1 (forky) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
sanitize-html Information Exposure vulnerability
osv·2024-02-24
CVE-2024-21501 [MEDIUM] sanitize-html Information Exposure vulnerability
sanitize-html Information Exposure vulnerability
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
OSV
CVE-2024-21501: Versions of the package sanitize-html before 2
osv·2024-02-24·CVSS 5.3
CVE-2024-21501 [MEDIUM] CVE-2024-21501: Versions of the package sanitize-html before 2
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
GHSA
sanitize-html Information Exposure vulnerability
ghsa·2024-02-24
CVE-2024-21501 [MEDIUM] CWE-200 sanitize-html Information Exposure vulnerability
sanitize-html Information Exposure vulnerability
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Red Hat
sanitize-html: Information Exposure when used on the backend
vendor_redhat·2024-02-24·CVSS 5.3
CVE-2024-21501 [MEDIUM] CWE-200 sanitize-html: Information Exposure when used on the backend
sanitize-html: Information Exposure when used on the backend
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
An information exposure flaw was found in the sanitize-html package, when used on the backend with the style attribute allowed. This issue may allow an attacker to enumerate files in the system, including project dependencies, to gather details about the file system structure and dependencies of the targeted server.
Package: rhdh/rhdh-hub-rhel9 (Red Hat Developer Hu
Debian
CVE-2024-21501: node-sanitize-html - Versions of the package sanitize-html before 2.12.1 are vulnerable to Informatio...
vendor_debian·2024·CVSS 5.3
CVE-2024-21501 [MEDIUM] CVE-2024-21501: node-sanitize-html - Versions of the package sanitize-html before 2.12.1 are vulnerable to Informatio...
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Scope: local
bookworm: open
forky: resolved (fixed in 2.13.0+~2.11.0-1)
sid: resolved (fixed in 2.13.0+~2.11.0-1)
trixie: resolved (fixed in 2.13.0+~2.11.0-1)
No detection rules found.
No public exploits indexed.
https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cfhttps://github.com/apostrophecms/apostrophe/discussions/4436https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4https://github.com/apostrophecms/sanitize-html/pull/650https://lists.fedoraproject.org/archives/list/[email protected]/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/https://lists.fedoraproject.org/archives/list/[email protected]/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cfhttps://github.com/apostrophecms/apostrophe/discussions/4436https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4https://github.com/apostrophecms/sanitize-html/pull/650https://lists.fedoraproject.org/archives/list/[email protected]/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/https://lists.fedoraproject.org/archives/list/[email protected]/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
2024-02-24
Published