CVE-2024-21501

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
snykCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
apostrophecmssanitize-html
𝑥
< 2.12.1
apostrophecmssanitize-html
𝑥
< 2.12.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-sanitize-html
bookworm
no-dsa
sid
2.14.0+~2.13.0-1
fixed
trixie
2.14.0+~2.13.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-sanitize-html
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
https://github.com/apostrophecms/apostrophe/discussions/4436
https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
https://github.com/apostrophecms/sanitize-html/pull/650
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
https://github.com/apostrophecms/apostrophe/discussions/4436
https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
https://github.com/apostrophecms/sanitize-html/pull/650
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334