Unveiling CVE-2024-21501: Pursuing the abyss - Understanding and exploiting sanitize-html vulnerability, patch, and the root-cause!

Unveiling CVE-2024-21501: Pursuing the abyss - Understanding and exploiting sanitize-html vulnerability, patch, and the root-cause!

CVEs

5.3 Medium Severity

Screenshots from the blog posts

images/clth66mzksocu1ioddjwahocj.jpgimages/clth66mzksocu1ioddjwahocj.jpg

Summary

Versions below 2.12.1 of the package sanitize-html are vulnerable to path disclosure when used on the backend and with the style attribute allowed, allowing verifying files and folder existence on the system (including project dependencies). An attacker could leverage this vulnerability to gather details about the file system structure and dependencies to perform more targeted attacks against the server. This post details the process of diving into the source code to uncover the root-cause and reveal how insecure usage of the third-party package could lead to seemingly innocuous yet noxious bugs.

Description

@secatgourity

190 posts

Total vcoins

123.8K

Social media links

Comments (0)