Design/Logic Flaw

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...

CVE-2021-21139

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...

UBUNTU-CVE-2021-21139

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...

CVE-2021-21139

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...

CVE-2021-21139

CVE-2021-21139 : In Chromium/Google Chrome, an incorrect implementation in the iframe sandbox allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Affected: Chromium/Chrome before 88.0.4324.96. Impact: potential navigation bypass; remote exploitation risk is descri...

CVE-2021-21139

Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page...

Privilege Escalation

sanitize-html is vulnerable to privilege escalation. An attacker is able to bypass hostname whitelist for iframe element when the "allowIframeRelativeUrls" is set to true due to the hostnames set by the "allowedIframeHostnames" not properly validated...

CVE-2021-26540

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

Design/Logic Flaw

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

CVE-2021-26540

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

CVE-2021-26540

The CVE-2021-26540 issue affects Apostrophe Technologies sanitize-html prior to 2.3.2, where the hostnames set in allowedIframeHostnames could be bypassed when allowIframeRelativeUrls is true, enabling bypass of the hostname whitelist for iframe src values starting with /\example.com. Public disc...

CVE-2021-26540

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

PT-2021-17026

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.3.1 Description The issue arises from improper handling of internationalized domain names IDN, which could allow an attacker to bypass hostname whitelist validation set by the allowedIframeHostnames option. Th...

PT-2021-17027

Name of the Vulnerable Software and Affected Versions sanitize-html versions prior to 2.3.2 Description The issue arises from improper validation of hostnames set by the allowedIframeHostnames option when allowIframeRelativeUrls is set to true. This allows attackers to bypass the hostname whiteli...

Abea Apostrophe Technologies sanitize-html input validation error vulnerability

Abea Apostrophe Technologies sanitize-html is a formatting removal tool organized by Abea USA. It provides simple HTML tag removal with a clear API. An input validation error vulnerability exists in Apostrophe Technologies sanitize-html that stems from failure to properly validate hostnames set b...

[SECURITY] [DSA 4846-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4846-1 [email protected] https://www.debian.org/security/ Michael Gilbert February 07, 2021 https://www.debian.org/security/faq -...

EulerOS 2.0 SP5 : doxygen (EulerOS-SA-2021-1186)

According to the version of the doxygen package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Insufficient sanitization of the query parameter in templates/html/searchopensearch.php could lead to reflected cross-site scripting or iframe...

CVE-2020-9390

SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script...

CVE-2020-9390

SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script...

Cross site scripting

SquaredUp allowed Stored XSS before version 4.6.0. A user was able to create a dashboard that executed malicious content in iframe or by uploading an SVG that contained a script...