Arbitrary Code Execution

Affecting org.webjars.npm:sanitize-html artifact, versions [,2.0.0-beta)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using transformTags could be vulnerable to code execution.

Remediation

Upgrade org.webjars.npm:sanitize-html to version 2.0.0-beta or higher.

References

CVSS Score

9.4
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Credit
mikesamuel
CWE
CWE-94
Snyk ID
SNYK-JAVA-ORGWEBJARSNPM-609871
Disclosed
07 Sep, 2020
Published
07 Sep, 2020