Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-26293

Good to know:

icon
icon

Date: January 4, 2021

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.

Language: C#

Severity Score

Related Resources (7)

https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
https://nvd.nist.gov/vuln/detail/CVE-2020-26293
https://www.nuget.org/packages/HtmlSanitizer
https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
https://www.nuget.org/packages/HtmlSanitizer/
https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
https://www.mend.io/vulnerability-database/CVE-2020-26293

Severity Score

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version SS.CMS - no_fix;SS.CMS - 6.15.0-beta;SS.CMS - 6.14.41-beta;Ucommerce-for-Kentico - no_fix;AdjustStringProperties - 2.0.0;uCommerce.Umbraco7 - 9.5.0.21245;HtmlSanitizer.NetCore3.1 - no_fix;Ucommerce.Sitefinity - 9.5.0.21245;Ucommerce.Umbraco8 - 9.5.0.21245;HtmlSanitizer - 5.0.372;Liberty.Cable.Frontend - no_fix;Vsa.Framework - no_fix;Ucommerce.Client.WebForms - 9.5.0.21245

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us