CVE-2024-21501 — sanitize-html Information Exposure vulnerability

Description

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

How to fix CVE-2024-21501

To remediate CVE-2024-21501, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 2.12.1 or later

Is CVE-2024-21501 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 2.12.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21501
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-21501
PATCHgithub.com/apostrophecms/sanitize-html
WEBgist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf
WEB