Skip to content

sanitize-html Information Exposure vulnerability

Moderate severity GitHub Reviewed Published Feb 24, 2024 to the GitHub Advisory Database • Updated Mar 6, 2024

Package

npm sanitize-html (npm)

Affected versions

< 2.12.1

Patched versions

2.12.1

Description

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

References

Published by the National Vulnerability Database Feb 24, 2024
Published to the GitHub Advisory Database Feb 24, 2024
Reviewed Mar 1, 2024
Last updated Mar 6, 2024

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2024-21501

GHSA ID

GHSA-rm97-x556-q36h

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.