CVE-2020-26293

Опубликовано: 04 янв. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the <style> tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style> tag so there is no risk if you have not explicitly allowed the <style> tag. The problem has been fixed in version 5.0.372.

Ссылки

https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
Patch
Third Party Advisory
https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
Release Notes
Third Party Advisory
https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
Third Party Advisory
https://www.nuget.org/packages/HtmlSanitizer/
Product
Third Party Advisory
https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
Patch
Third Party Advisory
https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
Release Notes
Third Party Advisory
https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
Third Party Advisory
https://www.nuget.org/packages/HtmlSanitizer/
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:*:*:*:*:*:*:*:*

Версия до 5.0.372 (исключая)

EPSS

Процентиль: 56%

0.00344

Низкий

6.1 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-74

CWE-79

Связанные уязвимости

GHSA-8j9v-h2vp-2hhv

CVSS3: 6.1

github

около 5 лет назад

XSS in HtmlSanitizer

EPSS

Процентиль: 56%

0.00344

Низкий

6.1 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-74

CWE-79