Write a blog analysis for a CVE
publishScreenshots from the blog posts
Summary
Versions below 2.12.1 of the package sanitize-html are vulnerable to path disclosure when used on the backend and with the style attribute allowed, allowing verifying files and folder existence on the system (including project dependencies). An attacker could leverage this vulnerability to gather details about the file system structure and dependencies to perform more targeted attacks against the server. This post details the process of diving into the source code to uncover the root-cause and reveal how insecure usage of the third-party package could lead to seemingly innocuous yet noxious bugs.
Description
Tags
Comments (0)