Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ybTk3LXg1NTYtcTM2aM4AA5fD
sanitize-html Information Exposure vulnerability
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Permalink: https://github.com/advisories/GHSA-rm97-x556-q36hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ybTk3LXg1NTYtcTM2aM4AA5fD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-rm97-x556-q36h, CVE-2024-21501
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-21501
- https://github.com/apostrophecms/sanitize-html/pull/650
- https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
- https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
- https://github.com/apostrophecms/apostrophe/discussions/4436
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
- https://lists.fedoraproject.org/archives/list/[email protected]/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7
- https://lists.fedoraproject.org/archives/list/[email protected]/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S
- https://github.com/advisories/GHSA-rm97-x556-q36h
Blast Radius: 26.3
Affected Packages
npm:sanitize-html
Dependent packages: 1,495Dependent repositories: 89,985
Downloads: 11,321,841 last month
Affected Version Ranges: < 2.12.1
Fixed in: 2.12.1
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.7, 1.1.8, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.14.2, 1.14.3, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.18.0, 1.18.1, 1.18.2, 1.18.3, 1.18.4, 1.18.5, 1.19.0, 1.19.1, 1.19.2, 1.19.3, 1.20.0, 1.20.1, 1.21.0, 1.21.1, 1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.27.4, 1.27.5, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.11.0, 2.12.0
All unaffected versions: 2.12.1, 2.13.0, 2.13.1