QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26293

Published: Jan 4, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.

Vendor	Product	Versions
mganss	HtmlSanitizer	affected `< 5.0.372`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv

x_refsource_CONFIRM

https://www.nuget.org/packages/HtmlSanitizer/

x_refsource_MISC

https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372

x_refsource_MISC

https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.