CVE-2023-36823

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Jul 6, 2023
Updated: Dec 22, 2023
CWE ID 79

Summary

CVE-2023-36823 affects the HTML and CSS sanitizer, Sanitize, which allows for arbitrary HTML and CSS injection starting from version 3.0.0 and before 6.0.2. This vulnerability arises when Sanitize's built-in "relaxed" configuration or custom configurations with `style` elements and one or more CSS at-rules are used. The attacker can exploit this issue to execute cross-site scripting or other unwanted browser behavior. Sanitize version 6.0.2 addresses this issue by implementing additional escaping of CSS in `style` element content. Alternatively, users can prevent this vulnerability by disabling `style` elements, disabling CSS at-rules, or manually escaping the `</` sequence as `<\\/>` in `style` element content.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share