CVE-2023-36823

EUVD-2023-2045

06.07.2023, 16:15

Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
GitHub_M	CNA	7.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 55%

Affected Products (NVD)

Vendor	Product	Version
sanitize_project	sanitize	3.0.0 ≤ 𝑥 < 6.0.2
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ruby-sanitize

bookworm	6.0.0-1.1+deb12u1 fixed
bookworm (security)	6.0.0-1.1+deb12u1 fixed
bullseye	5.2.1-2+deb11u1 fixed
bullseye (security)	5.2.1-2+deb11u1 fixed
sid	6.0.2-2 fixed
trixie	6.0.2-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

ruby-sanitize

bionic	not-affected
focal	Fixed 4.6.6-2.1~0.20.04.2 released
jammy	Fixed 6.0.0-1ubuntu0.1 released
kinetic	ignored
lunar	ignored
mantic	Fixed 6.0.0-1.1ubuntu0.23.10.1 released
trusty	ignored
xenial	not-affected

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220

https://github.com/rgrove/sanitize/releases/tag/v6.0.2

https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7

https://lists.debian.org/debian-lts-announce/2023/11/msg00008.html

https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220

https://github.com/rgrove/sanitize/releases/tag/v6.0.2

https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7

https://lists.debian.org/debian-lts-announce/2023/11/msg00008.html