CVE-2018-3740
N/A
N/A
Summary
A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ryan Grove | sanitize (ruby gem) | < 4.6.3 | affected |
Weaknesses
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
ADP Enrichment
CVE Program Container
Additional References
- https://www.debian.org/security/2018/dsa-4358
- https://github.com/rgrove/sanitize/issues/176
- https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
- https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
References
- https://www.debian.org/security/2018/dsa-4358
- https://github.com/rgrove/sanitize/issues/176
- https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
- https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.