CVE-2020-4054

Name of the Vulnerable Software and Affected Versions: Sanitize versions 3.0.0 through 5.2.0

Description: The issue is related to insufficient protection measures in the Sanitize library for Ruby, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. Specifically, when using Sanitize's "relaxed" config or a custom config that allows certain elements, some content in math or svg elements may not be sanitized correctly. This can lead to cross-site scripting (XSS) or other undesired behavior when rendered in a browser, especially if the config allows elements like iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, or xmp.

Recommendations: For Sanitize versions 3.0.0 through 5.2.0, update to version 5.2.1 to resolve the issue. As a temporary workaround, consider restricting the use of Sanitize's "relaxed" config or custom configs that allow potentially vulnerable HTML elements until a patch is applied.