CVE-2020-4054
HIGH7.3EPSS 0.48%Cross-site Scripting in Sanitize
Description
When HTML is sanitized using Sanitize's "relaxed" config or a custom config that allows certain elements, some content in a `<math>` or `<svg>` element may not be sanitized correctly even if `math` and `svg` are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: - `iframe` - `math` - `noembed` - `noframes` - `noscript` - `plaintext` - `script` - `style` - `svg` - `xmp` ### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. ### Releases This problem has been fixed in Sanitize 5.2.1. ### Workarounds If upgrading is not possible, a workaround is to override the default value of Sanitize's `:remove_contents` config option with the following value, which ensures that the contents of `math` and `svg` elements (among others) are removed entirely when those elements are not in the allowlist: ```ruby %w[iframe math noembed noframes noscript plaintext script style svg xmp] ``` For example, if you currently use Sanitize's relaxed config, you can create a custom config object that overrides the default value of `:remove_contents` like this: ```ruby custom_config = Sanitize::Config.merge( Sanitize::Config::RELAXED, :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp] ) ``` You would then pass this custom config to Sanitize when sanitizing HTML. ### For more information If you have any questions or comments about this advisory: - Open an issue in the [Sanitize repo](https://github.com/rgrove/sanitize). - See Sanitize's [security policy](https://github.com/rgrove/sanitize/security/policy). ### Credits Many thanks to Michal Bentkowski of Securitum for reporting this bug and helping to verify the fix. ### References - [GHSA-p4x4-rw2p-8j8m](https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m) - [CVE-2020-4054](https://nvd.nist.gov/vuln/detail/CVE-2020-4054) - https://github.com/rgrove/sanitize/releases/tag/v5.2.1
Affected packages (3)
- Debian/ruby-sanitizefrom 0, < 4.6.6-2.1
- Debian/ruby-sanitizefrom 0, < 4.6.6-2.1~deb10u1
- RubyGems/sanitize>= 3.0.0, < 5.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-4054
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-4054
- PATCHhttps://github.com/rgrove/sanitize
- WEBhttps://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9
- WEBhttps://github.com/rgrove/sanitize/releases/tag/v5.2.1
- WEBhttps://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2020-4054.yml
- WEBhttps://usn.ubuntu.com/4543-1
- WEBhttps://www.debian.org/security/2020/dsa-4730