GHSA-fw3g-2h3j-qmm7
Vulnerability from github
Published
2023-01-28 01:17
Modified
2023-01-28 01:17
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper neutralization of `noscript` element content may allow XSS in Sanitize
Details

Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize >= 5.0.0, < 6.0.1 when Sanitize is configured with a custom allowlist that allows noscript elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.

Sanitize's default configs don't allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

Patches

Sanitize >= 6.0.1 always removes noscript elements and their contents, even when noscript is in the allowlist.

Workarounds

Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.

Details

The root cause of this issue is that HTML parsing rules treat the contents of a noscript element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a noscript element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.

References

Credit

Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sanitize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-28T01:17:44Z",
    "nvd_published_at": "2023-01-28T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.\n\n### References\n\n- [Release Notes](https://github.com/rgrove/sanitize/releases/tag/v6.0.1)\n\n### Credit\n\nThanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias) (@leeN) for reporting this issue.",
  "id": "GHSA-fw3g-2h3j-qmm7",
  "modified": "2023-01-28T01:17:44Z",
  "published": "2023-01-28T01:17:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rgrove/sanitize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-23627.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper neutralization of `noscript` element content may allow XSS in Sanitize"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.