Arbitrary Code Execution in sanitize-html

Do your applications use this vulnerable package? Test your applications

Overview

sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using transformTags could be vulnerable to code execution.

Remediation

Upgrade sanitize-html to version 2.0.0-beta or higher.

References

GitHub PR

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

Low

Credit: mikesamuel
CWE: CWE-94
Snyk ID: SNYK-JS-SANITIZEHTML-585892
Disclosed: 07 Sep, 2020
Published: 07 Sep, 2020

Arbitrary Code Execution
Affecting sanitize-html package, versions <2.0.0-beta

Overview

Remediation

References

CVSS Score

Arbitrary Code Execution Affecting sanitize-html package, versions <2.0.0-beta

Overview

Remediation

References

Arbitrary Code Execution
Affecting sanitize-html package, versions <2.0.0-beta