[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Sanitize <= 4.6.2 HTML injection and XSS
From: Ryan Grove <ryan () wonko ! com>
Date: 2018-03-20 4:13:56
Message-ID: F60A9937-D034-44A8-88C5-93300ADCC012 () wonko ! com
[Download RAW message or body]
CVE-2018-3740 has been assigned for this issue.
- Ryan
> On Mar 19, 2018, at 7:50 PM, Ryan Grove <ryan@wonko.com> wrote:
>
> Sanitize is a Ruby library that removes unacceptable HTML and CSS from a string based on a \
> whitelist. Versions 4.6.2 and below contain an HTML injection vulnerability that allows XSS.
> Details are included below, and can also be found at:
>
> https://github.com/rgrove/sanitize/issues/176
>
> ====
>
> # Sanitize XSS vulnerability
>
> This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow \
> XSS. I'd like to thank the Shopify Application Security Team for responsibly reporting this \
> vulnerability.
> ## Description
>
> A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to \
> be used on a whitelisted HTML element.
> ## Affected Versions
>
> Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2
>
> ## Mitigation
>
> Upgrade to Sanitize 4.6.3.
>
> ## History of this vulnerability
>
> - 2018-03-19: Reported by Shopify Application Security Team via email
> - 2018-03-19: Sanitize 4.6.3 released with a fix
> - 2018-03-19: Initial vulnerability report published
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic