CVE-2017-16016
Cross-Site Scripting (XSS) vulnerability in sanitize-html (npm)
What is CVE-2017-16016 About?
This vulnerability affects 'sanitize-html' when `allowedTags` includes a `nonTextTag` like `<textarea>`, leading to Cross-Site Scripting (XSS). Attackers can inject malicious scripts into web pages, which can compromise user sessions or data. Exploitation is possible with crafted input and specific sanitizer configurations.
Affected Software
Technical Details
The sanitize-html library, in affected versions, does not properly escape or sanitize content within certain 'nonTextTag' elements, specifically a <textarea> tag, even when it is explicitly allowed in allowedTags. An attacker can embed malicious HTML content, such as <svg/onload=promptxs>, inside a <textarea> tag in their input. When sanitize-html processes this input with <textarea> as an allowed tag, it may output the content within <textarea> unescaped or in a way that allows the embedded script to escape its context. Subsequently, if this sanitized output is rendered in a web browser, the embedded script will execute, leading to a Cross-Site Scripting (XSS) attack.
What is the Impact of CVE-2017-16016?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, steal user session cookies, deface web pages, redirect users to malicious sites, or launch further client-side attacks.
What is the Exploitability of CVE-2017-16016?
Exploitation of this XSS vulnerability is of moderate complexity. It requires an attacker to provide specially crafted input to an application using sanitize-html with a specific configuration where a 'nonTextTag' (e.g., textarea) is explicitly allowed. No authentication or elevated privileges are typically required to submit the malicious input, assuming the application allows user-supplied content. This is a remote attack, where the attacker injects malicious content which is then rendered by a victim's browser. The primary risk factor is the application's configuration of sanitize-html, specifically the allowedTags setting. An application accepting unfiltered user input and using the vulnerable sanitize-html configuration is highly susceptible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16016?
Available Upgrade Options
- sanitize-html
- <1.11.4 → Upgrade to 1.11.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403)))
- https://osv.dev/vulnerability/GHSA-xc6g-ggrc-qq4r
- https://github.com/punkave/sanitize-html/issues/100
- https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403
- https://github.com/punkave/sanitize-html/commit/5d205a1005ba0df80e21d8c64a15bb3accdb2403
- https://nvd.nist.gov/vuln/detail/CVE-2017-16016
- https://npmjs.com/package/sanitize-html#discarding-the-entire-contents-of-a-disallowed-tag
- https://nodesecurity.io/advisories/154
- https://www.npmjs.com/advisories/154
- https://github.com/advisories/GHSA-xc6g-ggrc-qq4r
What are Similar Vulnerabilities to CVE-2017-16016?
Similar Vulnerabilities: CVE-2017-16017 , CVE-2017-16018 , CVE-2017-16019 , CVE-2017-16020 , CVE-2017-16021
