CVE-2021-26539
MEDIUMApostrophe Technologies sanitize-html <2.3.1 - Info Disclosure
Title source: llmDescription
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
Patch, Third Party Advisory x_refsource_misc
https://github.com/apostrophecms/sanitize-html/pull/458
Exploit, Third Party Advisory x_refsource_misc
https://advisory.checkmarx.net/advisory/CX-2021-4308
Scores
CVSS v3
5.3
EPSS
0.0029
EPSS Percentile
52.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
Status
published
Products (2)
apostrophecms/sanitize-html
< 2.3.1
npm/sanitize-html
0 - 2.3.1npm
Published
Feb 08, 2021
Tracked Since
Feb 18, 2026