CVE-2023-36823

描述

### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize `>= 3.0.0, < 6.0.2` when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in XSS (cross-site scripting) or other undesired behavior when the malicious HTML and CSS are rendered in a browser. ### Patches Sanitize `>= 6.0.2` performs additional escaping of CSS in `style` element content, which fixes this issue. ### Workarounds Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content. ### Credit This issue was found by @cure53 during an audit of a project that uses Sanitize and was reported by one of that project's maintainers. Thank you!

受影響套件(4)

• Debian/ruby-sanitizefrom 0, < 5.2.1-2+deb11u1
• Debian/ruby-sanitizefrom 0, < 4.6.6-2.1~deb10u2
• Debian/ruby-sanitizefrom 0, < 5.2.1-2+deb11u1
• RubyGems/sanitize>= 3.0.0, < 6.0.2

CVSS 分數

參考連結(8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-36823
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2023-36823
• PATCHhttps://github.com/rgrove/sanitize
• WEBhttps://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220
• WEBhttps://github.com/rgrove/sanitize/releases/tag/v6.0.2
• WEBhttps://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-36823.yml
• WEBhttps://lists.debian.org/debian-lts-announce/2023/11/msg00008.html