CVE-2020-26293
on nuget
on github
Published
Severity
CVSS v3:
6.1 MEDIUM
CVSS v2:
4.3 MEDIUM
Description
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.
References
Configurations
CPE23 | Version Start | Version End | Exact Version |
---|---|---|---|
cpe:2.3:a:htmlsanitizer_project:htmlsanitizer:*:*:*:*:*:*:*:* | n/a | 5.0.372 | * |