CVE-2023-23627

Sanitize vulnerable to Cross-site Scripting via Improper neutralization of `noscript` element

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.

Sanitize es un desinfectante de HTML y CSS basado en listas de permitidos. Las versiones 5.0.0 y posteriores, anteriores a la 6.0.1, son vulnerables a cross-site scripting. Cuando Sanitize se configura con una lista de permitidos personalizada que permite elementos "noscript", los atacantes pueden incluir HTML arbitrario, lo que genera XSS (scripting entre sitios) u otro comportamiento no deseado cuando ese HTML se representa en un navegador. Las configuraciones predeterminadas no permiten elementos "noscript" y no son vulnerables. Este problema solo afecta a los usuarios que utilizan una configuración personalizada que agrega "noscript" a la lista de elementos permitidos. Este problema se solucionó en la versión 6.0.1. Los usuarios que no pueden actualizar pueden evitar este problema usando una de las configuraciones predeterminadas de Sanitize o asegurándose de que su configuración personalizada no incluya "noscript" en la lista de elementos permitidos.

*Credits: N/A

CVSS Scores

NISTv3.1 6.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-01-16 CVE Reserved
2023-01-27 CVE Published
2024-08-02 CVE Updated
2024-08-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source
https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sanitize Project Search vendor "Sanitize Project"		Sanitize Search vendor "Sanitize Project" for product "Sanitize"				>= 5.0.0 < 6.0.1 Search vendor "Sanitize Project" for product "Sanitize" and version " >= 5.0.0 < 6.0.1"		ruby		Affected