CVE-2021-26540
MEDIUM5.3EPSS 0.29%Improper Input Validation in sanitize-html
發布日:2021/5/6修改日:2023/11/8
描述
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
受影響套件(1)
- npm/sanitize-htmlfrom 0, < 2.3.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |