CVE-2024-21501
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
24/02/2024
Last modified:
25/04/2025
Description
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:* | 2.12.1 (excluding) | |
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* | ||
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
- https://github.com/apostrophecms/apostrophe/discussions/4436
- https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
- https://github.com/apostrophecms/sanitize-html/pull/650
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
- https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
- https://github.com/apostrophecms/apostrophe/discussions/4436
- https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
- https://github.com/apostrophecms/sanitize-html/pull/650
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
- https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334