Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-08T16:16:07

Updated: 2024-08-03T20:26:25.388Z

Reserved: 2021-02-01T00:00:00

Link: CVE-2021-26540

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-02-08T17:15:13.737

Modified: 2024-11-21T05:56:26.670

Link: CVE-2021-26540

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-01-26T00:00:00Z

Links: CVE-2021-26540 - Bugzilla