CVE-2021-26539

EUVD-2021-1183
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
apostrophecmssanitize-html
𝑥
< 2.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-sanitize-html
bookworm
2.8.0+~2.6.2-1
fixed
sid
2.13.1+~2.13.0-1
fixed
trixie
2.13.1+~2.13.0-1
fixed
References
https://advisory.checkmarx.net/advisory/CX-2021-4308
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
https://github.com/apostrophecms/sanitize-html/pull/458
https://advisory.checkmarx.net/advisory/CX-2021-4308
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
https://github.com/apostrophecms/sanitize-html/pull/458