Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmNDItcDg0ai1mNThw

Sanitize vulnerable to Improper Input Validation and Cross-site Scripting

When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

This can allow HTML and JavaScript injection, which could result in XSS if Sanitize's output is served to browsers.

Permalink: https://github.com/advisories/GHSA-7f42-p84j-f58p
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmNDItcDg0ai1mNThw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago

CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-7f42-p84j-f58p, CVE-2018-3740
References:

Repository: https://github.com/rgrove/sanitize
Blast Radius: 30.2

Affected Packages

rubygems:sanitize

Dependent packages: 260
Dependent repositories: 10,715
Downloads: 94,054,940 total
Affected Version Ranges: >= 3.0.0, < 4.6.3
Fixed in: 4.6.3
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2
All unaffected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.1.0, 1.2.0, 1.2.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.1.3