Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
Remediation
References
https://advisory.checkmarx.net/advisory/CX-2021-4309
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
https://github.com/apostrophecms/sanitize-html/pull/460
Related Vulnerabilities
CVE-2020-17480 Vulnerability in npm package tinymce
CVE-2023-32314 Vulnerability in npm package vm2
CVE-2020-26870 Vulnerability in maven package org.webjars.bower:dompurify
CVE-2019-20503 Vulnerability in npm package electron
CVE-2020-13445 Vulnerability in maven package com.liferay:com.liferay.portal.template.velocity