CVE-2020-26293

HtmlSanitizer

on nuget

mganss/HtmlSanitizer

on github

Published

January 4, 2021

Severity

CVSS v3:

6.1 MEDIUM

CVSS v2:

4.3 MEDIUM

Description

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.

References

https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
https://www.nuget.org/packages/HtmlSanitizer/

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:htmlsanitizer_project:htmlsanitizer::::::::	n/a	5.0.372	*

External Links

NVD - CVE-2020-26293