CVE-2024-21501 — Sensitive Information Exposure in Sanitize-html

CWE-200 — Sensitive Information Exposure CWE-538 — Insertion of Sensitive Information into Externally-Accessible File or Directory7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

1.8%

top 17.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apostrophecms Sanitize-html Fedoraproject Fedora

Timeline

PublishedFeb 24

Description

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5apostrophecms/sanitize-html< 2.12.1

▶NVDapostrophecms/sanitize-html< 2.12.1

▶npmapostrophecms/sanitize-html< 2.12.1

Also affects: Fedora 39, 40

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

sanitize-html Information Exposure vulnerability↗2024-02-24

▶

CVEList

CVE-2024-21501: Versions of the package sanitize-html before 2↗2024-02-24

▶

OSV

CVE-2024-21501: Versions of the package sanitize-html before 2↗2024-02-24

▶

GHSA

sanitize-html Information Exposure vulnerability↗2024-02-24

▶

📋Vendor Advisories

Red Hat

sanitize-html: Information Exposure when used on the backend↗2024-02-24

▶

Debian

CVE-2024-21501: node-sanitize-html - Versions of the package sanitize-html before 2.12.1 are vulnerable to Informatio...↗2024

▶