Published: 30/03/2018 Updated: 28/12/2018

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sanitize project sanitize

Debian Bug report logs - #893610 ruby-sanitize: CVE-2018-3740 Package: src:ruby-sanitize; Maintainer for src:ruby-sanitize is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 20 Mar 2018 12:57:01 UTC Severity: grave ...

The Shopify Application Security Team discovered that ruby-sanitize, a whitelist-based HTML sanitizer, is prone to a HTML injection vulnerability A specially crafted HTML fragment can cause to allow nonwhitelisted attributes to be used on a whitelisted HTML element For the stable distribution (stretch), this problem has been fixed in version 21 ...

A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element ...

CWE-20 https://github.com/rgrove/sanitize/issues/176 https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/https://www.debian.org/security/2018/dsa-4358 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610 https://nvd.nist.gov https://www.debian.org/security/./dsa-4358 https://security.archlinux.org/CVE-2018-3740

CVE-2018-3740

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect