cnvd - cnvd-2020-52696

cnvd-2020-52696

Vulnerability from cnvd

Title: Sanitize跨站脚本漏洞

Description:

Sanitize是美国Ryan Grove软件开发者的一款HTML和CSS清理器，它支持从字符串中删除HTML和CSS等。

Sanitize 3.0.0及之后版本（5.2.1版本已修复）中存在跨站脚本漏洞。使用Sanitize的“relaxed”配置或允许某些元素的自定义配置清理HTML时，即使math和svg不在allowlist中，math或svg元素中的某些内容也可能无法正确清理。如果使用Sanitize的松弛配置或允许以下一个或多个HTML元素的自定义配置，则很可能容易出现此问题：iframe、math、noembed、noframes、noscript、纯文本、脚本、样式、svg、xmp。攻击者可借助特制输入利用该漏洞注入任意的HTML或造成其他危害。

Severity: 中

Patch Name: Sanitize跨站脚本漏洞的补丁

Patch Description:

Sanitize是美国Ryan Grove软件开发者的一款HTML和CSS清理器，它支持从字符串中删除HTML和CSS等。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/rgrove/sanitize/releases/tag/v5.2.1

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-4054

Impacted products

Name
Sanitize Sanitize >=3.0.0，<5.2.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-4054"
    }
  },
  "description": "Sanitize\u662f\u7f8e\u56fdRyan Grove\u8f6f\u4ef6\u5f00\u53d1\u8005\u7684\u4e00\u6b3eHTML\u548cCSS\u6e05\u7406\u5668\uff0c\u5b83\u652f\u6301\u4ece\u5b57\u7b26\u4e32\u4e2d\u5220\u9664HTML\u548cCSS\u7b49\u3002\n\nSanitize 3.0.0\u53ca\u4e4b\u540e\u7248\u672c\uff085.2.1\u7248\u672c\u5df2\u4fee\u590d\uff09\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u4f7f\u7528Sanitize\u7684\u201crelaxed\u201d\u914d\u7f6e\u6216\u5141\u8bb8\u67d0\u4e9b\u5143\u7d20\u7684\u81ea\u5b9a\u4e49\u914d\u7f6e\u6e05\u7406HTML\u65f6\uff0c\u5373\u4f7fmath\u548csvg\u4e0d\u5728allowlist\u4e2d\uff0cmath\u6216svg\u5143\u7d20\u4e2d\u7684\u67d0\u4e9b\u5185\u5bb9\u4e5f\u53ef\u80fd\u65e0\u6cd5\u6b63\u786e\u6e05\u7406\u3002\u5982\u679c\u4f7f\u7528Sanitize\u7684\u677e\u5f1b\u914d\u7f6e\u6216\u5141\u8bb8\u4ee5\u4e0b\u4e00\u4e2a\u6216\u591a\u4e2aHTML\u5143\u7d20\u7684\u81ea\u5b9a\u4e49\u914d\u7f6e\uff0c\u5219\u5f88\u53ef\u80fd\u5bb9\u6613\u51fa\u73b0\u6b64\u95ee\u9898\uff1aiframe\u3001math\u3001noembed\u3001noframes\u3001noscript\u3001\u7eaf\u6587\u672c\u3001\u811a\u672c\u3001\u6837\u5f0f\u3001svg\u3001xmp\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u8f93\u5165\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216\u9020\u6210\u5176\u4ed6\u5371\u5bb3\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/rgrove/sanitize/releases/tag/v5.2.1",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-52696",
  "openTime": "2020-09-18",
  "patchDescription": "Sanitize\u662f\u7f8e\u56fdRyan Grove\u8f6f\u4ef6\u5f00\u53d1\u8005\u7684\u4e00\u6b3eHTML\u548cCSS\u6e05\u7406\u5668\uff0c\u5b83\u652f\u6301\u4ece\u5b57\u7b26\u4e32\u4e2d\u5220\u9664HTML\u548cCSS\u7b49\u3002\r\n\r\nSanitize 3.0.0\u53ca\u4e4b\u540e\u7248\u672c\uff085.2.1\u7248\u672c\u5df2\u4fee\u590d\uff09\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u4f7f\u7528Sanitize\u7684\u201crelaxed\u201d\u914d\u7f6e\u6216\u5141\u8bb8\u67d0\u4e9b\u5143\u7d20\u7684\u81ea\u5b9a\u4e49\u914d\u7f6e\u6e05\u7406HTML\u65f6\uff0c\u5373\u4f7fmath\u548csvg\u4e0d\u5728allowlist\u4e2d\uff0cmath\u6216svg\u5143\u7d20\u4e2d\u7684\u67d0\u4e9b\u5185\u5bb9\u4e5f\u53ef\u80fd\u65e0\u6cd5\u6b63\u786e\u6e05\u7406\u3002\u5982\u679c\u4f7f\u7528Sanitize\u7684\u677e\u5f1b\u914d\u7f6e\u6216\u5141\u8bb8\u4ee5\u4e0b\u4e00\u4e2a\u6216\u591a\u4e2aHTML\u5143\u7d20\u7684\u81ea\u5b9a\u4e49\u914d\u7f6e\uff0c\u5219\u5f88\u53ef\u80fd\u5bb9\u6613\u51fa\u73b0\u6b64\u95ee\u9898\uff1aiframe\u3001math\u3001noembed\u3001noframes\u3001noscript\u3001\u7eaf\u6587\u672c\u3001\u811a\u672c\u3001\u6837\u5f0f\u3001svg\u3001xmp\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u8f93\u5165\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684HTML\u6216\u9020\u6210\u5176\u4ed6\u5371\u5bb3\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sanitize\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Sanitize Sanitize \u003e=3.0.0\uff0c\u003c5.2.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-4054",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-17",
  "title": "Sanitize\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2020-4054 (GCVE-0-2020-4054)

Vulnerability from cvelistv5

Published

2020-06-16 22:10

Modified

2024-08-04 07:52

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1.

References

▼	URL	Tags
	https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m	x_refsource_CONFIRM
	https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9	x_refsource_MISC
	https://github.com/rgrove/sanitize/releases/tag/v5.2.1	x_refsource_MISC
	https://www.debian.org/security/2020/dsa-4730	vendor-advisory, x_refsource_DEBIAN
	https://usn.ubuntu.com/4543-1/	vendor-advisory, x_refsource_UBUNTU

Impacted products

	Vendor	Product	Version
	rgrove	Sanitize	Version: >= 3.0.0, < 5.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:52:20.925Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1"
          },
          {
            "name": "DSA-4730",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4730"
          },
          {
            "name": "USN-4543-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4543-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sanitize",
          "vendor": "rgrove",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 5.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize\u0027s \"relaxed\" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize\u0027s relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-28T19:06:13",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1"
        },
        {
          "name": "DSA-4730",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4730"
        },
        {
          "name": "USN-4543-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4543-1/"
        }
      ],
      "source": {
        "advisory": "GHSA-p4x4-rw2p-8j8m",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site Scripting in Sanitize",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-4054",
          "STATE": "PUBLIC",
          "TITLE": "Cross-site Scripting in Sanitize"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Sanitize",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 3.0.0, \u003c 5.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "rgrove"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize\u0027s \"relaxed\" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize\u0027s relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m",
              "refsource": "CONFIRM",
              "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m"
            },
            {
              "name": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9",
              "refsource": "MISC",
              "url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9"
            },
            {
              "name": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1",
              "refsource": "MISC",
              "url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1"
            },
            {
              "name": "DSA-4730",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4730"
            },
            {
              "name": "USN-4543-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4543-1/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-p4x4-rw2p-8j8m",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-4054",
    "datePublished": "2020-06-16T22:10:13",
    "dateReserved": "2019-12-30T00:00:00",
    "dateUpdated": "2024-08-04T07:52:20.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted