6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
50.0%
In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than
5.2.1, there is a cross-site scripting vulnerability. When HTML is
sanitized using Sanitize’s “relaxed” config, or a custom config that allows
certain elements, some content in a math or svg element may not be
sanitized correctly even if math and svg are not in the allowlist. You are
likely to be vulnerable to this issue if you use Sanitize’s relaxed config
or a custom config that allows one or more of the following HTML elements:
iframe, math, noembed, noframes, noscript, plaintext, script, style, svg,
xmp. Using carefully crafted input, an attacker may be able to sneak
arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site
scripting) or other undesired behavior when that HTML is rendered in a
browser. This has been fixed in 5.2.1.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ruby-sanitize | < any | UNKNOWN |
ubuntu | 20.04 | noarch | ruby-sanitize | < 4.6.6-2.1~0.20.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | ruby-sanitize | < any | UNKNOWN |
github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9
github.com/rgrove/sanitize/releases/tag/v5.2.1
github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
launchpad.net/bugs/cve/CVE-2020-4054
nvd.nist.gov/vuln/detail/CVE-2020-4054
security-tracker.debian.org/tracker/CVE-2020-4054
ubuntu.com/security/notices/USN-4543-1
www.cve.org/CVERecord?id=CVE-2020-4054
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0.001 Low
EPSS
Percentile
50.0%