CVE-2021-26539 — Improper Input Validation in sanitize-html

Description

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.

How to fix CVE-2021-26539

To remediate CVE-2021-26539, upgrade the affected package to a fixed version below.

npm/sanitize-html—upgrade to 2.3.1 or later

Is CVE-2021-26539 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-26539
PATCHgithub.com/apostrophecms/sanitize-html
WEBadvisory.checkmarx.net/advisory/CX-2021-4308
WEBgithub.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22