Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the “allowedIframeHostnames” option when the “allowIframeRelativeUrls” is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with “/\example.com”.
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.3.2
- Patched version(s): 2.3.2
References
Related Issues
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Cross-Site Scripting in sanitize-html (GHSA-3j7m-hmh3-9jmp) - CVE-2016-1000237
- Cross-Site Scripting in sanitize-html (GHSA-xc6g-ggrc-qq4r) - CVE-2017-16016
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on February 01, 2023