CVE-2024-34078 - Vulnerability Details - OpenCVE

ReportizFlow

html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550
https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3
https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html

History

Mon, 26 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-06T14:48:47.506Z

Updated: 2024-08-26T18:03:11.753Z

Reserved: 2024-04-30T06:56:33.383Z

Link: CVE-2024-34078

Vulnrichment

Updated: 2024-08-26T18:03:11.753Z

NVD

Status : Deferred

Published: 2024-05-06T15:15:24.187

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-34078

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-30T06:56:33.383Z", "datePublished": "2024-05-06T14:48:47.506Z", "dateUpdated": "2024-08-26T18:03:11.753Z"}, "containers": {"cna": {"title": "html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3"}, {"name": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "tags": ["x_refsource_MISC"], "url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550"}], "affected": [{"vendor": "matthiask", "product": "html-sanitizer", "versions": [{"version": "< 2.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-06T14:48:47.506Z"}, "descriptions": [{"lang": "en", "value": "html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.\n"}], "source": {"advisory": "GHSA-wvhx-q427-fgh3", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T20:39:29.806844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:41:44.888Z"}}, {"title": "CVE Program Container", "references": [{"name": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3"}, {"name": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-26T18:03:11.753Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "name": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "name": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-26T18:03:11.753Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T20:39:29.806844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-06T20:39:34.022Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization", "source": {"advisory": "GHSA-wvhx-q427-fgh3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "matthiask", "product": "html-sanitizer", "versions": [{"status": "affected", "version": "< 2.4.2"}]}], "references": [{"url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "name": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "name": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-06T14:48:47.506Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34078", "state": "PUBLISHED", "dateUpdated": "2024-08-26T18:03:11.753Z", "dateReserved": "2024-04-30T06:56:33.383Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-06T14:48:47.506Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.\n"}, {"lang": "es", "value": "html-sanitizer es un limpiador HTML basado en listas permitidas. Si usa `keep_typographic_whitespace=False` (que es el valor predeterminado), el desinfectante normaliza Unicode al formulario NFKC al final. Algunos caracteres Unicode se normalizan como galones; esto permite que el HTML especialmente manipulado escape al saneamiento. El problema se solucion\u00f3 en 2.4.2."}], "id": "CVE-2024-34078", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-05-06T15:15:24.187", "references": [{"source": "[email protected]", "url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550"}, {"source": "[email protected]", "url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-fgh3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}