CVE-2024-21501
MEDIUMsanitize-html < 2.12.1 - Information Exposure via Style Attribute
Title source: llmDescription
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
References (8)
Core 8
Core References
Exploit, Third Party Advisory
https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
Issue Tracking
https://github.com/apostrophecms/apostrophe/discussions/4436
Patch
https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334
Scores
CVSS v3
5.3
EPSS
0.0102
EPSS Percentile
58.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-538
Status
published
Products (4)
apostrophecms/sanitize-html
< 2.12.1
fedoraproject/fedora
39
fedoraproject/fedora
40
npm/sanitize-html
0 - 2.12.1npm
Published
Feb 24, 2024
Tracked Since
Feb 18, 2026