Lucene search

GitHub Advisory DatabaseGHSA-FX46-WHRJ-73V5

HistoryJul 24, 2018 - 8:06 p.m.

Bypassing Sanitization using DOM clobbering in html-janitor

2018-07-2420:06:17

CWE-547

CWE-642

GitHub Advisory Database

github.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.7%

JSON

All versions of html-janitor are vulnerable to cross-site scripting (XSS).

Arbitrary HTML can pass the sanitization process, which can be unexpected and dangerous (XSS) in case user-controlled input is passed to the clean function."

Recommendation

Upgrade to version 2.0.4 or later.

Affected configurations

Vulners

Node

htmljanitorRange<2.0.4

CPENameOperatorVersion
html-janitorlt2.0.4

CPE	Name	Operator	Version
	html-janitor	lt	2.0.4

References

github.com/advisories/GHSA-fx46-whrj-73v5

github.com/guardian/html-janitor/issues/35

hackerone.com/reports/308158

nvd.nist.gov/vuln/detail/CVE-2017-0928

www.npmjs.com/advisories/569

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

29.7%

JSON

Related for GHSA-FX46-WHRJ-73V5