Homepage
About Snyk

HTML Injection Affecting sanitize package, versions <4.6.3

0.0
high

Snyk CVSS

    Attack Complexity Low
    Integrity High

    Threat Intelligence

    EPSS 0.14% (50th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-SANITIZE-22024
  • published 21 Mar 2018
  • disclosed 19 Mar 2018
  • credit Shopify Application Security Team
Report a new vulnerability Found a mistake?

Introduced: 19 Mar 2018

CVE-2018-3740 Open this link in a new tab
CWE-74 Open this link in a new tab

How to fix?

Upgrade sanitize to version 4.6.3 or higher.

Overview

sanitize is a whitelist-based HTML and CSS sanitizer.

When used in combination with libxml2 versions >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. This can allow HTML and JavaScript injection, which could result in XSS if Sanitize's output is served to browsers.

Timeline

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published

References