CVE-2023-44390 MEDIUM

CVE-2023-44390: HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

Vendor Mganss

Product HtmlSanitizer

Weakness CWE-79 · XSS

Published October 5, 2023

Last update September 19, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version).

Key dates

02Disclosure timeline

October 5, 2023 CVE published

September 19, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-44390

Related vulnerabilities

Identifiers

CVE CVE-2023-44390

CWE CWE-79

CVSS 6.1 / MEDIUM

Affected versions

Vendor Mganss

Product HtmlSanitizer

Affected < 8.0.723

Vendor Mganss

Product HtmlSanitizer

Affected >= 8.1.0-beta, < 8.1.722-beta

CVE-2023-44390: HtmlSanitizer vulnerable to Cross-site Scripting in Foreign Content

01Description

02Disclosure timeline

03References

04Related CVE