Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3652-1 ruby-sanitize

Debian Security Advisory

DLA-3652-1 ruby-sanitize -- LTS security update

Date Reported:

14 Nov 2023

Affected Packages:

ruby-sanitize

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2023-36823.

More information:

It was discovered that there was a potential cross-site scripting (XSS) in ruby-sanitize, a whitelist-based HTML sanitizer.

Using carefully crafted input, an attacker may have be able to sneak arbitrary HTML and CSS through Sanitize when configured to use the built-in relaxed config or when using a custom config that allowed style elements and one or more CSS "at"-rules. This could have resulted in cross-site scripting (XSS) or other undesired behavior if the malicious HTML and CSS were then rendered in a browser.

• CVE-2023-36823

  Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue.

For Debian 10 Buster, this problem has been fixed in version 4.6.6-2.1~deb10u2.

We recommend that you upgrade your ruby-sanitize packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS