CVE-2021-26540

Origin Validation Error in npm/sanitize-html

Identifier

CVE-2021-26540

Package Slug

npm/sanitize-html

Vulnerability

Origin Validation Error

Description

sanitize-html does not properly validate the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true, which allows attackers to bypass the hostname allow list for an iframe element, when using a src value that starts with /\\example.com.

Affected Versions

All versions before 2.3.2

Solution

Upgrade to version 2.3.2 or above.

Last Modified

2021-02-15

source