CVE-2023-36823

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Sanitize versions 3.0.0 through 6.0.2

Description The issue is related to the Sanitize HTML and CSS sanitizer, which can be exploited by an attacker using carefully crafted input to sneak arbitrary HTML and CSS through the sanitizer. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. The exploitation is possible when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows style elements and one or more CSS at-rules.

Recommendations For Sanitize versions 3.0.0 through 6.0.2, consider the following:

Upgrade to Sanitize version 6.0.2 or later, which performs additional escaping of CSS in style element content.
Use a Sanitize config that doesn't allow style elements.
Use a Sanitize config that doesn't allow CSS at-rules.
Manually escape the character sequence </ as </ in style element content.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2024-02630

CVE-2023-36823

DLA-3652-1

DSA-5616-1

GHSA-F5WW-CQ3M-Q3G7

USN-6748-1

Affected Products

Linuxmint

Sanitize

Ubuntu

CVE-2023-36823

Weakness Enumeration

Related Identifiers

Affected Products

References · 22