Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2021-02-08T16:16:07
Updated: 2024-08-03T20:26:25.388Z
Reserved: 2021-02-01T00:00:00
Link: CVE-2021-26540
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-02-08T17:15:13.737
Modified: 2024-11-21T05:56:26.670
Link: CVE-2021-26540
Redhat