4 matches found
CVE-2020-4054
Summary of CVE-2020-4054 details from connected docs: The Ruby gem Sanitize (versions =3.0.0) had a cross-site scripting bypass when sanitizing HTML with the default or relaxed/custom configs that allowed elements such as iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, x...
CVE-2023-36823
CVE-2023-36823 affects the Ruby sanitizer library (Sanitize). Older releases (3.0.0–6.0.1) could allow crafted HTML/CSS to bypass allowlisting when using the built-in relaxed config or a custom config permitting style elements and CSS at‑rules, enabling cross‑site scripting. Sanitize 6.0.2 fixes ...
CVE-2023-23627
CVE-2023-23627 affects the Sanitize HTML/CSS sanitizer. Vulnerable when using a custom element allowlist that includes noscript, impacting Sanitize versions 5.0.0 up to but not including 6.0.1. In such configurations, arbitrary HTML could be introduced and rendered in browsers, enabling cross-sit...
CVE-2018-3740
CVE-2018-3740 affects the ruby-sanitize (Sanitize gem for Ruby) whitelist-based HTML sanitizer. A specially crafted HTML fragment can cause non-whitelisted attributes to be applied to whitelisted elements, enabling HTML injection-like behavior. Debian’s DSA-4358-1 fixes the issue in ruby-sanitize...