CVE-2024-21501
EUVD-2024-071924.02.2024, 05:15
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| apostrophecms | sanitize-html | 𝑥 < 2.12.1 |
| apostrophecms | sanitize-html | 𝑥 < 2.12.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or DirectoryThe product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
References