WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-26540 Vulnerability in maven package org.webjars.npm:sanitize-html

Description

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".

Remediation

References

https://advisory.checkmarx.net/advisory/CX-2021-4309

https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26

https://github.com/apostrophecms/sanitize-html/pull/460

Related Vulnerabilities

CVE-2021-3777 Vulnerability in npm package tmpl

CVE-2022-31093 Vulnerability in npm package next-auth

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-standard-processors

CVE-2021-3795 Vulnerability in npm package semver-regex

CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-javalite

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Exploit Patch Third Party Advisory Release Notes NVD-CWE-noinfo