Homepage
About Snyk

HTML Injection Affecting sanitize package, versions <4.6.3

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.14% (51st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-SANITIZE-22024
  • published 21 Mar 2018
  • disclosed 19 Mar 2018
  • credit Shopify Application Security Team
Report a new vulnerability Found a mistake?

Introduced: 19 Mar 2018

CVE-2018-3740 Open this link in a new tab
CWE-74 Open this link in a new tab

How to fix?

Upgrade sanitize to version 4.6.3 or higher.

Overview

sanitize is a whitelist-based HTML and CSS sanitizer.

When used in combination with libxml2 versions >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. This can allow HTML and JavaScript injection, which could result in XSS if Sanitize's output is served to browsers.

Timeline

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    High
  • Availability (A)
    None