CVE-2020-4054

Cross-site Scripting in gem/sanitize

Identifiers

CVE-2020-4054, GHSA-p4x4-rw2p-8j8m

Package Slug

gem/sanitize

Vulnerability

Cross-site Scripting

Description

In Sanitize (RubyGem sanitize) there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's relaxed config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist.

Affected Versions

All versions starting from 3.0.0 before 5.2.1

Solution

Upgrade to version 5.2.1 or above.

Last Modified

2020-06-22

source