{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-21501", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-12-22T12:33:20.119Z", "datePublished": "2024-02-24T05:00:02.731Z", "dateUpdated": "2025-02-13T17:33:15.082Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P"}}], "credits": [{"value": "Vsevolod Kokorin (Slonser) of Solidlab", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Information Exposure", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-06-10T16:10:55.046Z"}, "descriptions": [{"value": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"}, {"url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"}, {"url": "https://github.com/apostrophecms/sanitize-html/pull/650"}, {"url": "https://github.com/apostrophecms/apostrophe/discussions/4436"}, {"url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"}], "affected": [{"product": "sanitize-html", "versions": [{"version": "0", "lessThan": "2.12.1", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "org.webjars.npm:sanitize-html", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.904Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/sanitize-html/pull/650", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/apostrophe/discussions/4436", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-538", "lang": "en", "description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory"}]}], "affected": [{"vendor": "apostrophecms", "product": "sanitize-html", "cpes": ["cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.12.1", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T17:45:45.938662Z", "id": "CVE-2024-21501", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T17:49:19.931Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/sanitize-html/pull/650", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/apostrophe/discussions/4436", "tags": ["x_transferred"]}, {"url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:20:40.904Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21501", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T17:45:45.938662Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*"], "vendor": "apostrophecms", "product": "sanitize-html", "versions": [{"status": "affected", "version": "0", "lessThan": "2.12.1", "versionType": "semver"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-538", "description": "CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T17:48:10.404Z"}}], "cna": {"credits": [{"lang": "en", "value": "Vsevolod Kokorin (Slonser) of Solidlab"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "sanitize-html", "versions": [{"status": "affected", "version": "0", "lessThan": "2.12.1", "versionType": "semver"}]}, {"vendor": "n/a", "product": "org.webjars.npm:sanitize-html", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"}, {"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"}, {"url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"}, {"url": "https://github.com/apostrophecms/sanitize-html/pull/650"}, {"url": "https://github.com/apostrophecms/apostrophe/discussions/4436"}, {"url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"}], "descriptions": [{"lang": "en", "value": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-200", "description": "Information Exposure"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2024-06-10T16:10:55.046Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21501", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:33:15.082Z", "dateReserved": "2023-12-22T12:33:20.119Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2024-02-24T05:00:02.731Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:sanitize-html:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "39A4A2E7-4806-4E3D-861C-AF5D2A58CDD7", "versionEndExcluding": "2.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server."}, {"lang": "es", "value": "Las versiones del paquete sanitize-html anteriores a la 2.12.1 son vulnerables a la exposici\u00f3n de la informaci\u00f3n cuando se usan en el backend y con el atributo de estilo permitido, lo que permite la enumeraci\u00f3n de archivos en el sistema (incluidas las dependencias del proyecto). Un atacante podr\u00eda aprovechar esta vulnerabilidad para recopilar detalles sobre la estructura del sistema de archivos y las dependencias del servidor objetivo."}], "id": "CVE-2024-21501", "lastModified": "2025-04-25T19:37:25.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-24T05:15:44.310", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"}, {"source": "report@snyk.io", "tags": ["Issue Tracking"], "url": "https://github.com/apostrophecms/apostrophe/discussions/4436"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"}, {"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/apostrophecms/sanitize-html/pull/650"}, {"source": "report@snyk.io", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"}, {"source": "report@snyk.io", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/apostrophecms/apostrophe/discussions/4436"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/apostrophecms/sanitize-html/pull/650"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "report@snyk.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-538"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHBA-2024:3555", "cpe": "cpe:/a:redhat:multicluster_engine:2.4::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel8:v2.4.5-25", "product_name": "multicluster engine for Kubernetes 2.4 for RHEL 8", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHBA-2024:1775", "cpe": "cpe:/a:redhat:multicluster_engine:2.5::el8", "package": "multicluster-engine/console-mce-rhel9:v2.5.2-6", "product_name": "multicluster engine for Kubernetes 2.5 for RHEL 9", "release_date": "2024-04-10T00:00:00Z"}, {"advisory": "RHBA-2024:1775", "cpe": "cpe:/a:redhat:multicluster_engine:2.5::el8", "package": "multicluster-engine/multicluster-engine-console-mce-rhel9:v2.5.2-6", "product_name": "multicluster engine for Kubernetes 2.5 for RHEL 9", "release_date": "2024-04-10T00:00:00Z"}, {"advisory": "RHBA-2024:1793", "cpe": "cpe:/a:redhat:acm:2.10::el9", "package": "rhacm2/console-rhel9:v2.10.1-3", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHBA-2024:3593", "cpe": "cpe:/a:redhat:acm:2.9::el8", "package": "rhacm2/console-rhel8:v2.9.4-22", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8", "release_date": "2024-06-04T00:00:00Z"}, {"advisory": "RHSA-2024:1770", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-monitoring-plugin-rhel8:v4.15.0-202404031310.p0.ge8f7503.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-04-16T00:00:00Z"}], "bugzilla": {"description": "sanitize-html: Information Exposure when used on the backend", "id": "2266111", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266111"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.", "An information exposure flaw was found in the sanitize-html package, when used on the backend with the style attribute allowed. This issue may allow an attacker to enumerate files in the system, including project dependencies, to gather details about the file system structure and dependencies of the targeted server."], "name": "CVE-2024-21501", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/ose-console", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Will not fix", "package_name": "devspaces/dashboard-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "nodejs-redhat-cloud-services-frontend-components", "product_name": "Red Hat Satellite 6"}], "public_date": "2024-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21501\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21501\nhttps://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4"], "threat_severity": "Moderate"}