cvelistv5 - cve-2023-23627

CVE-2023-23627 (GCVE-0-2023-23627)

Vulnerability from cvelistv5 – Published: 2023-01-27 23:44 – Updated: 2025-03-10 21:17

Title

Sanitize vulnerable to Cross-site Scripting via Improper neutralization of `noscript` element

Summary

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/rgrove/sanitize/security/advis…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	rgrove	sanitize	Affected: >= 5.0.0, < 6.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:35:33.641Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23627",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:58:50.279686Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:17:49.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sanitize",
          "vendor": "rgrove",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 6.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-27T23:44:17.617Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
        }
      ],
      "source": {
        "advisory": "GHSA-fw3g-2h3j-qmm7",
        "discovery": "UNKNOWN"
      },
      "title": "Sanitize vulnerable to Cross-site Scripting via Improper neutralization of `noscript` element"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-23627",
    "datePublished": "2023-01-27T23:44:17.617Z",
    "dateReserved": "2023-01-16T17:07:46.244Z",
    "dateUpdated": "2025-03-10T21:17:49.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sanitize_project:sanitize:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"6.0.1\", \"matchCriteriaId\": \"26E22D53-17FD-43AE-9997-3D67C7A8E4A0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\"}, {\"lang\": \"es\", \"value\": \"Sanitize es un desinfectante de HTML y CSS basado en listas de permitidos. Las versiones 5.0.0 y posteriores, anteriores a la 6.0.1, son vulnerables a cross-site scripting. Cuando Sanitize se configura con una lista de permitidos personalizada que permite elementos \\\"noscript\\\", los atacantes pueden incluir HTML arbitrario, lo que genera XSS (scripting entre sitios) u otro comportamiento no deseado cuando ese HTML se representa en un navegador. Las configuraciones predeterminadas no permiten elementos \\\"noscript\\\" y no son vulnerables. Este problema solo afecta a los usuarios que utilizan una configuraci\\u00f3n personalizada que agrega \\\"noscript\\\" a la lista de elementos permitidos. Este problema se solucion\\u00f3 en la versi\\u00f3n 6.0.1. Los usuarios que no pueden actualizar pueden evitar este problema usando una de las configuraciones predeterminadas de Sanitize o asegur\\u00e1ndose de que su configuraci\\u00f3n personalizada no incluya \\\"noscript\\\" en la lista de elementos permitidos.\"}]",
      "id": "CVE-2023-23627",
      "lastModified": "2024-11-21T07:46:33.960",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2023-01-28T00:15:09.577",
      "references": "[{\"url\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Release Notes\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23627\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-28T00:15:09.577\",\"lastModified\":\"2024-11-21T07:46:33.960\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\"},{\"lang\":\"es\",\"value\":\"Sanitize es un desinfectante de HTML y CSS basado en listas de permitidos. Las versiones 5.0.0 y posteriores, anteriores a la 6.0.1, son vulnerables a cross-site scripting. Cuando Sanitize se configura con una lista de permitidos personalizada que permite elementos \\\"noscript\\\", los atacantes pueden incluir HTML arbitrario, lo que genera XSS (scripting entre sitios) u otro comportamiento no deseado cuando ese HTML se representa en un navegador. Las configuraciones predeterminadas no permiten elementos \\\"noscript\\\" y no son vulnerables. Este problema solo afecta a los usuarios que utilizan una configuraci\u00f3n personalizada que agrega \\\"noscript\\\" a la lista de elementos permitidos. Este problema se solucion\u00f3 en la versi\u00f3n 6.0.1. Los usuarios que no pueden actualizar pueden evitar este problema usando una de las configuraciones predeterminadas de Sanitize o asegur\u00e1ndose de que su configuraci\u00f3n personalizada no incluya \\\"noscript\\\" en la lista de elementos permitidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sanitize_project:sanitize:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"6.0.1\",\"matchCriteriaId\":\"26E22D53-17FD-43AE-9997-3D67C7A8E4A0\"}]}]}],\"references\":[{\"url\":\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Release Notes\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"name\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T10:35:33.641Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23627\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:58:50.279686Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:58:52.273Z\"}}], \"cna\": {\"title\": \"Sanitize vulnerable to Cross-site Scripting via Improper neutralization of `noscript` element\", \"source\": {\"advisory\": \"GHSA-fw3g-2h3j-qmm7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"rgrove\", \"product\": \"sanitize\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.0.0, \u003c 6.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"name\": \"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-27T23:44:17.617Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23627\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:17:49.562Z\", \"dateReserved\": \"2023-01-16T17:07:46.244Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-27T23:44:17.617Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-FW3G-2H3J-QMM7

Vulnerability from github – Published: 2023-01-28 01:17 – Updated: 2023-01-28 01:17

Summary

Improper neutralization of `noscript` element content may allow XSS in Sanitize

Details

Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize >= 5.0.0, < 6.0.1 when Sanitize is configured with a custom allowlist that allows noscript elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.

Sanitize's default configs don't allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

Patches

Sanitize >= 6.0.1 always removes noscript elements and their contents, even when noscript is in the allowlist.

Workarounds

Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.

Details

The root cause of this issue is that HTML parsing rules treat the contents of a noscript element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a noscript element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.

References

Release Notes

Credit

Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "sanitize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23627"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-28T01:17:44Z",
    "nvd_published_at": "2023-01-28T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.\n\n### References\n\n- [Release Notes](https://github.com/rgrove/sanitize/releases/tag/v6.0.1)\n\n### Credit\n\nThanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias) (@leeN) for reporting this issue.",
  "id": "GHSA-fw3g-2h3j-qmm7",
  "modified": "2023-01-28T01:17:44Z",
  "published": "2023-01-28T01:17:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rgrove/sanitize"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-23627.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper neutralization of `noscript` element content may allow XSS in Sanitize"
}

FKIE_CVE-2023-23627

Vulnerability from fkie_nvd - Published: 2023-01-28 00:15 - Updated: 2024-11-21 07:46

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7	Mitigation, Release Notes, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7	Mitigation, Release Notes, Third Party Advisory

Impacted products

	Vendor	Product	Version
	sanitize_project	sanitize	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sanitize_project:sanitize:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "26E22D53-17FD-43AE-9997-3D67C7A8E4A0",
              "versionEndExcluding": "6.0.1",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
    },
    {
      "lang": "es",
      "value": "Sanitize es un desinfectante de HTML y CSS basado en listas de permitidos. Las versiones 5.0.0 y posteriores, anteriores a la 6.0.1, son vulnerables a cross-site scripting. Cuando Sanitize se configura con una lista de permitidos personalizada que permite elementos \"noscript\", los atacantes pueden incluir HTML arbitrario, lo que genera XSS (scripting entre sitios) u otro comportamiento no deseado cuando ese HTML se representa en un navegador. Las configuraciones predeterminadas no permiten elementos \"noscript\" y no son vulnerables. Este problema solo afecta a los usuarios que utilizan una configuraci\u00f3n personalizada que agrega \"noscript\" a la lista de elementos permitidos. Este problema se solucion\u00f3 en la versi\u00f3n 6.0.1. Los usuarios que no pueden actualizar pueden evitar este problema usando una de las configuraciones predeterminadas de Sanitize o asegur\u00e1ndose de que su configuraci\u00f3n personalizada no incluya \"noscript\" en la lista de elementos permitidos."
    }
  ],
  "id": "CVE-2023-23627",
  "lastModified": "2024-11-21T07:46:33.960",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-01-28T00:15:09.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GSD-2023-23627

Vulnerability from gsd - Updated: 2023-01-28 00:00

Details

### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `>= 5.0.0, < 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. Sanitize's default configs don't allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. ### Patches Sanitize `>= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist. ### Workarounds Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist. ### Details The root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.

Aliases

CVE-2023-23627

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-23627",
    "id": "GSD-2023-23627"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "sanitize",
            "purl": "pkg:gem/sanitize"
          }
        }
      ],
      "aliases": [
        "CVE-2023-23627",
        "GHSA-fw3g-2h3j-qmm7"
      ],
      "details": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.",
      "id": "GSD-2023-23627",
      "modified": "2023-01-28T00:00:00.000Z",
      "published": "2023-01-28T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rgrove/sanitize/releases/tag/v6.0.1"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 6.1,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Improper neutralization of `noscript` element content may allow XSS in Sanitize"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-23627",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "sanitize",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 5.0.0, \u003c 6.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "rgrove"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
            "refsource": "MISC",
            "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-fw3g-2h3j-qmm7",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2023-23627",
      "cvss_v3": 6.1,
      "date": "2023-01-28",
      "description": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.",
      "gem": "sanitize",
      "ghsa": "fw3g-2h3j-qmm7",
      "patched_versions": [
        "\u003e= 6.0.1"
      ],
      "related": {
        "url": [
          "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22",
          "https://github.com/rgrove/sanitize/releases/tag/v6.0.1"
        ]
      },
      "title": "Improper neutralization of `noscript` element content may allow XSS in Sanitize",
      "unaffected_versions": [
        "\u003c 5.0.0"
      ],
      "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.0.0 \u003c6.0.1",
          "affected_versions": "All versions starting from 5.0.0 before 6.0.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2023-02-06",
          "description": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, is vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.",
          "fixed_versions": [
            "6.0.1"
          ],
          "identifier": "CVE-2023-23627",
          "identifiers": [
            "CVE-2023-23627",
            "GHSA-fw3g-2h3j-qmm7"
          ],
          "not_impacted": "All versions before 5.0.0, all versions starting from 6.0.1",
          "package_slug": "gem/sanitize",
          "pubdate": "2023-01-28",
          "solution": "Upgrade to version 6.0.1 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-23627",
            "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22",
            "https://github.com/advisories/GHSA-fw3g-2h3j-qmm7"
          ],
          "uuid": "a1a57593-2f27-48ab-9797-b13257c0b1fb"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sanitize_project:sanitize:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.0.1",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-23627"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-02-06T19:05Z",
      "publishedDate": "2023-01-28T00:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-23627 (GCVE-0-2023-23627)

GHSA-FW3G-2H3J-QMM7

Impact

Patches

Workarounds

Details

References

Credit

FKIE_CVE-2023-23627

GSD-2023-23627

Tags

Sightings

Nomenclature