Description
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies).
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.12.1
- Patched version(s): 2.12.1
References
- GHSA-rm97-x556-q36h
- security.snyk.io
- lists.fedoraproject.org
- CVE-2024-21501
- CWE-200
- CWE-538
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Froala Editor Cross-site Scripting vulnerability - CVE-2023-41592
- Potential DoS when using ContextLines integration - Vulnerability
- json-schema-ref-parser Prototype Pollution issue - CVE-2024-29651
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on August 28, 2024