CVE-2019-25225

Опубликовано: 08 сент. 2025

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

Ссылки

https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2019/CVE-2019-25225
Exploit
Third Party Advisory
https://github.com/apostrophecms/sanitize-html/commit/712cb6895825c8bb6ede71a16b42bade42abcaf3
Patch
https://github.com/apostrophecms/sanitize-html/issues/293
Issue Tracking
Vendor Advisory
https://github.com/apostrophecms/sanitize-html/pull/156
Issue Tracking
Patch

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*

Версия до 2.0.0 (исключая)

EPSS

Процентиль: 8%

0.00031

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2019-25225

CVSS3: 6.1

ubuntu

5 месяцев назад

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

CVE-2019-25225

CVSS3: 6.1

redhat

5 месяцев назад

CVE-2019-25225

CVSS3: 6.1

debian

5 месяцев назад

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-sit ...

GHSA-qhxp-v273-g94h

CVSS3: 6.1

github

5 месяцев назад

sanitize-html is vulnerable to XSS through incomprehensive sanitization

EPSS

Процентиль: 8%

0.00031

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79