Mike Samuel - Security Researcher - Exploit Intelligence Platform

CVE-2019-25225 WRITEUP MEDIUM WRITEUP

sanitize-html <2.0.0-beta - XSS

`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanitize content when using the custom `transformTags` option, which is intended to convert attribute values into text. As a result, malicious input can be transformed into executable code.

CVSS 6.1

View Code

CVE-2021-23899 WRITEUP CRITICAL WRITEUP

Owasp Json-sanitizer < 1.2.2 - XXE

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

CVSS 9.8

View Code

CVE-2021-23900 WRITEUP HIGH WRITEUP

Owasp Json-sanitizer < 1.2.2 - Denial of Service

OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

CVSS 7.5

View Code