Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:38478
HistoryDec 14, 2022 - 1:48 p.m.

Cross-site Scripting (XSS)

2022-12-1413:48:54
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
17
rails-html-sanitizer
cross site scripting
vulnerability
loofah_using_html5?
remove_safelist_tag_combinations
sanitizer.rb
select element
style element
application developer

EPSS

0.001

Percentile

44.1%

rails-html-sanitizer is vulnerable to cross site scripting. The vulnerability exists in the loofah_using_html5? and remove_safelist_tag_combinations functions in sanitizer.rb because it enables an attacker to inject content when the application developer has overridden the sanitizer’s allowed tags to allow both select and style elements.

Affected configurations

Vulners
Node
rubyonrailsrails_html_sanitizersMatch1.3.0-1rails
OR
typo3html_sanitizerMatch1.4.3_2.el8sat
OR
typo3html_sanitizerMatch1.3.0_2.el8sat
OR
rubyonrailsrails_html_sanitizersMatch1.3.0-1rails
OR
typo3html_sanitizerMatch1.4.3_2.el8sat
OR
typo3html_sanitizerMatch1.3.0_2.el8sat
OR
typo3html_sanitizerRange1.4.3
VendorProductVersionCPE
rubyonrailsrails_html_sanitizers1.3.0-1cpe:2.3:a:rubyonrails:rails_html_sanitizers:1.3.0-1:*:*:*:*:rails:*:*
typo3html_sanitizer1.4.3_2.el8satcpe:2.3:a:typo3:html_sanitizer:1.4.3_2.el8sat:*:*:*:*:*:*:*
typo3html_sanitizer1.3.0_2.el8satcpe:2.3:a:typo3:html_sanitizer:1.3.0_2.el8sat:*:*:*:*:*:*:*
typo3html_sanitizer*cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*