CVE-2024-34078 MEDIUM

CVE-2024-34078: html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization

Vendor Matthiask
Product html-sanitizer
Weakness CWE-79 · XSS
Published May 6, 2024
Last update August 26, 2024
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.

Key dates

02Disclosure timeline

May 6, 2024 CVE published
August 26, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-47623 WordPress Easy PayPal Buy Now Button plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-62729 Stored XSS in SOPlanning CVE-2024-23890 Cross-Site Scripting (XSS) vulnerability in Cups Easy CVE-2023-22707 WordPress Greenshift – animation and page builder blocks Plugin <= 4.9.9 is vulnerable to Cross Site Scripting (XSS) CVE-2024-3677 Ultimate 410 Gone Status Code <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting