Description
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies).
Recommendation
Update the sanitize-html package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.12.1
- Patched version(s): 2.12.1
References
- GHSA-rm97-x556-q36h
- security.snyk.io
- lists.fedoraproject.org
- CVE-2024-21501
- CWE-200
- CWE-538
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Improper Input Validation in sanitize-html (GHSA-mjxr-4v3x-q3m4) - CVE-2021-26540
- Svelte has a potential mXSS vulnerability due to improper HTML escaping - CVE-2024-45047
- Tags:
- npm
- sanitize-html
Anything's wrong? Let us know Last updated on August 28, 2024