admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-12 02:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

add CVE-2020-4054 for GHSA-p4x4-rw2p-8j8m

Browse Source
This commit is contained in:
Robert Schultheis 2020-06-16 16:07:12 -06:00
parent 51783211bf
commit dcebfe773f
No known key found for this signature in database
GPG Key ID: 348C4211B4D8BB40
1 changed files with 81 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
2020/4xxx/CVE-2020-4054.json
View File

@ -1,18 +1,93 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-4054",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting in Sanitize"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sanitize",
"version": {
"version_data": [
{
"version_value": ">= 3.0.0, < 5.2.1"
}
]
}
}
]
},
"vendor_name": "rgrove"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's \"relaxed\" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist.\n\nYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp.\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nThis has been fixed in 5.2.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m",
"refsource": "CONFIRM",
"url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m"
},
{
"name": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9",
"refsource": "MISC",
"url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9"
},
{
"name": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1",
"refsource": "MISC",
"url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1"
}
]
},
"source": {
"advisory": "GHSA-p4x4-rw2p-8j8m",
"discovery": "UNKNOWN"
}
}