CVE-2016-1000237
Cross-Site Scripting (XSS) vulnerability in sanitize-html (npm)
What is CVE-2016-1000237 About?
This vulnerability in 'sanitize-html' occurs because it does not recursively sanitize input, allowing attackers to inject arbitrary JavaScript. This can lead to Cross-Site Scripting (XSS) attacks. Exploitation is possible with carefully crafted nested input.
Affected Software
Technical Details
The sanitize-html library, in affected versions, performs a single pass of sanitization and does not recursively process nested HTML content. An attacker can craft input where malicious JavaScript is hidden within multiple layers of allowed tags or attributes in a way that, after the initial sanitization pass, transforms into executable script. For example, by encoding fragments or using attribute-based XSS vectors within seemingly benign elements, the non-recursive sanitization fails to catch the final, executable script, leading to Cross-Site Scripting (XSS) when the output is rendered in a web browser.
What is the Impact of CVE-2016-1000237?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, steal user session cookies, deface web pages, redirect users to malicious sites, or launch further client-side attacks.
What is the Exploitability of CVE-2016-1000237?
Exploitation of this XSS vulnerability is of moderate complexity. It requires an attacker to provide specially crafted nested input that bypasses the single-pass sanitization logic. No specific authentication or elevated privileges are typically required, assuming the application allows user-supplied content. This is a remote attack, where the attacker injects malicious content which is then rendered by a victim's browser. The primary risk factor is the nature of the input accepted by the application and its reliance on a non-recursive sanitization mechanism. An application processing complex or deeply nested user-supplied HTML is particularly vulnerable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-1000237?
About the Fix from Resolved Security
Available Upgrade Options
- sanitize-html
- <1.4.3 → Upgrade to 1.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json
- https://osv.dev/vulnerability/GHSA-3j7m-hmh3-9jmp
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000237
- https://github.com/apostrophecms/sanitize-html/commit/762fbc7bba389f3f789cc291c1eb2b64f60f2caf
- https://github.com/apostrophecms/sanitize-html/issues/29
- https://nodesecurity.io/advisories/135
- https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000237.json
- https://github.com/punkave/sanitize-html/issues/29
- https://www.npmjs.com/advisories/135
What are Similar Vulnerabilities to CVE-2016-1000237?
Similar Vulnerabilities: CVE-2017-16017 , CVE-2017-16018 , CVE-2017-16019 , CVE-2017-16020 , CVE-2017-16021
