Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:36266
HistoryJul 06, 2022 - 6:09 a.m.

Cross-site Scripting (XSS)

2022-07-0606:09:21
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
68
cross-site scripting
rails
html sanitizer
javascript
style override

EPSS

0.001

Percentile

47.4%

rails-html-sanitizer is vulnerable to cross-site scripting attacks. An attacker is able to inject and execute malicious javascript through the sanitize_css function when the library is configured to override the style tags to allow both select and style elements.

Affected configurations

Vulners
Node
rubyonrailsrails_html_sanitizersMatch1.3.0-1rails
OR
typo3html_sanitizerMatch1.3.0_2.el8sat
OR
rubyonrailsrails_html_sanitizersMatch1.3.0-1rails
OR
typo3html_sanitizerMatch1.3.0_2.el8sat
OR
typo3html_sanitizerRange≤1.4.2
VendorProductVersionCPE
rubyonrailsrails_html_sanitizers1.3.0-1cpe:2.3:a:rubyonrails:rails_html_sanitizers:1.3.0-1:*:*:*:*:rails:*:*
typo3html_sanitizer1.3.0_2.el8satcpe:2.3:a:typo3:html_sanitizer:1.3.0_2.el8sat:*:*:*:*:*:*:*
typo3html_sanitizer*cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*