Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mdzNnLTJoM2otcW1tN84AAxPa
Improper neutralization of `noscript` element content may allow XSS in Sanitize
Impact
Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize >= 5.0.0, < 6.0.1 when Sanitize is configured with a custom allowlist that allows noscript elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.
Sanitize's default configs don't allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.
Patches
Sanitize >= 6.0.1 always removes noscript elements and their contents, even when noscript is in the allowlist.
Workarounds
Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.
Details
The root cause of this issue is that HTML parsing rules treat the contents of a noscript element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a noscript element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.
References
Credit
Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.
Permalink: https://github.com/advisories/GHSA-fw3g-2h3j-qmm7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mdzNnLTJoM2otcW1tN84AAxPa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-fw3g-2h3j-qmm7, CVE-2023-23627
References:
- https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7
- https://nvd.nist.gov/vuln/detail/CVE-2023-23627
- https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-23627.yml
- https://github.com/advisories/GHSA-fw3g-2h3j-qmm7
Blast Radius: 24.6
Affected Packages
rubygems:sanitize
Dependent packages: 258Dependent repositories: 10,715
Downloads: 80,975,472 total
Affected Version Ranges: >= 5.0.0, < 6.0.1
Fixed in: 6.0.1
All affected versions: 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 6.0.0
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.2.0, 1.2.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 6.0.1, 6.0.2, 6.1.0