Description
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Remediation
References
https://advisory.checkmarx.net/advisory/CX-2021-4308
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
https://github.com/apostrophecms/sanitize-html/pull/458
Related Vulnerabilities
CVE-2021-29262 Vulnerability in maven package org.apache.solr:solr-core
CVE-2021-4279 Vulnerability in maven package org.webjars.bower:fast-json-patch
CVE-2022-0239 Vulnerability in maven package edu.stanford.nlp:stanford-corenlp
CVE-2023-29206 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-skinx
CVE-2020-16040 Vulnerability in maven package org.webjars.npm:electron