Homepage
About Snyk

org.webjars.npm:sanitize-html@1.20.1 vulnerabilities

  • latest version

    2.7.0

  • first published

    8 years ago

  • latest version published

    2 years ago

  • licenses detected

  • package manager

    View on Maven Repository
Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:sanitize-html package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

How to fix Information Exposure?

There is no fixed version for org.webjars.npm:sanitize-html.

[0,)
  • M
Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade org.webjars.npm:sanitize-html to version 2.7.1 or higher.

[,2.7.1)
  • M
Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the allowedIframeHostnames option.

How to fix Access Restriction Bypass?

Upgrade org.webjars.npm:sanitize-html to version 2.3.1 or higher.

[,2.3.1)
  • M
Validation Bypass

Affected versions of this package are vulnerable to Validation Bypass. There is no proper validation of the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true. This allows attackers to bypass the hostname whitelist for the iframe element.

How to fix Validation Bypass?

Upgrade org.webjars.npm:sanitize-html to version 2.3.1 or higher.

[,2.3.1)
  • C
Arbitrary Code Execution

Affected versions of this package are vulnerable to Arbitrary Code Execution. Tag transformations which turn an attribute value into a text node using transformTags could be vulnerable to code execution.

How to fix Arbitrary Code Execution?

Upgrade org.webjars.npm:sanitize-html to version 2.0.0-beta or higher.

[,2.0.0-beta)
Go back to all versions of this package