Описание
sanitize-html prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The sanitizeHtml() function in index.js does not sanitize content when using the custom transformTags option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Not affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel9 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/prometheus-rhel9 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/thanos-rhel9 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Not affected | ||
| Red Hat Developer Hub | rhdh/rhdh-rhel9-operator | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-sit ...
sanitize-html is vulnerable to XSS through incomprehensive sanitization
6.1 Medium
CVSS3