Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728506 (CVE-2020-4054) - <dev-ruby/sanitize-5.2.1: XSS / filter bypass (CVE-2020-4054)
Summary: <dev-ruby/sanitize-5.2.1: XSS / filter bypass (CVE-2020-4054)
Status: RESOLVED FIXED
Alias: CVE-2020-4054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/rgrove/sanitize/se...
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-16 23:51 UTC by Sam James
Modified: 2020-07-05 09:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-16 23:51:53 UTC
Description:
"In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. 

When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. 

You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1."
Comment 1 Hans de Graaff gentoo-dev 2020-06-17 05:53:46 UTC
sanitize 5.2.1 has been added.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-17 21:09:33 UTC
(In reply to Hans de Graaff from comment #1)
> sanitize 5.2.1 has been added.

Thanks Hans. Please cleanup when you're ready.
Comment 3 Hans de Graaff gentoo-dev 2020-07-05 06:56:52 UTC
cleanup done.
Comment 4 Sam James archtester gentoo-dev Security 2020-07-05 09:49:11 UTC
(In reply to Hans de Graaff from comment #3)
> cleanup done.

All done.