CVE-2021-26540

Опубликовано: 26 янв. 2021

Источник: redhat

CVSS3: 5.3

Описание

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\example.com".

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
OpenShift Service Mesh 2.0	servicemesh-prometheus	Affected
Red Hat OpenShift Container Platform 4.8	openshift4/ose-console	Fixed	RHSA-2021:2438	27.07.2021
Red Hat OpenShift Container Platform 4.8	openshift4/ose-thanos-rhel8	Fixed	RHSA-2021:2438	27.07.2021
Red Hat OpenShift Container Platform 4.9	openshift4/ose-prometheus	Fixed	RHSA-2021:3759	18.10.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1932323sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2021-26540

CVSS3: 5.3

nvd

около 5 лет назад

CVE-2021-26540

CVSS3: 5.3

debian

около 5 лет назад

Apostrophe Technologies sanitize-html before 2.3.2 does not properly v ...

GHSA-mjxr-4v3x-q3m4

CVSS3: 5.3

github

почти 5 лет назад

Improper Input Validation in sanitize-html

5.3 Medium

CVSS3