Home > Vulnerability Database > CVE-2024-21501

Mend.io Vulnerability Database

CVE-2024-21501

Good to know:

Date: February 24, 2024

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

Language: JS

Severity Score

5.3

Related Resources (11)

Url: https://github.com/apostrophecms/sanitize-html/pull/650

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S/

Url: https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EB5JPYRCTS64EA5AMV3INHDPI6I4AW7

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P4I5X6V3LYUNBMZ5YOW4BV427TH3IK4S

Url: https://github.com/apostrophecms/sanitize-html

Url: https://github.com/apostrophecms/apostrophe/discussions/4436

Url: https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21501

Url: https://www.mend.io/vulnerability-database/CVE-2024-21501

Severity Score

5.3

Weakness Type (CWE)

Insertion of Sensitive Information into Externally-Accessible File or Directory

CWE-538

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Top Fix

Upgrade Version

Upgrade to version sanitize-html - 2.12.1;jupyterlab-nvdashboard - 0.6.0;org.webjars.npm:sanitize-html:no_fix

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21501

Good to know:

Date: February 24, 2024

Language: JS

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?