CVE-2024-21501

2024-02-2405:00:02

snyk

www.cve.org

cve-2024-21501

information exposure

backend

style attribute

file enumeration

system files

project dependencies

attacker

vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P

5.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.1%

JSON

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

CNA Affected

[
  {
    "product": "sanitize-html",
    "versions": [
      {
        "version": "0",
        "lessThan": "2.12.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "org.webjars.npm:sanitize-html",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]