Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with /example.com.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sanitize-html | Apostrophecms | * | 2.3.2 (excluding) |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-thanos-rhel8:v4.8.0-202106291913.p0.git.c358e96.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.9 | RedHat | openshift4/ose-prometheus:v4.9.0-202109302016.p0.git.3197fa7.assembly.stream | * |
References
- https://advisory.checkmarx.net/advisory/CX-2021-4309
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
- https://github.com/apostrophecms/sanitize-html/pull/460
- https://advisory.checkmarx.net/advisory/CX-2021-4309
- https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
- https://github.com/apostrophecms/sanitize-html/pull/460