CVE-2023-23627

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_MCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
sanitize_projectsanitize
5.0.0 ≤
𝑥
< 6.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-sanitize
bullseye (security)
vulnerable
bullseye
no-dsa
buster
no-dsa
bookworm
6.0.0-1.1+deb12u1
fixed
bookworm (security)
6.0.0-1.1+deb12u1
fixed
sid
6.0.2-2
fixed
trixie
6.0.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-sanitize
mantic
Fixed 6.0.0-1.1ubuntu0.23.10.1
released
lunar
ignored
kinetic
ignored
jammy
Fixed 6.0.0-1ubuntu0.1
released
focal
Fixed 4.6.6-2.1~0.20.04.2
released
bionic
not-affected
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7
https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7