CVE-2020-26293
HTML injection vulnerability in HtmlSanitizer (NuGet)
What is CVE-2020-26293 About?
This HTML injection vulnerability arises when the `<style>` tag is explicitly allowed in an HTML sanitizer, enabling attackers to embed script after sanitization. While the default settings disallow this tag, custom configurations that permit it are at risk. Successful exploitation can lead to cross-site scripting (XSS) via crafted HTML.
Affected Software
Technical Details
The vulnerability CVE-2020-26293 is an HTML injection flaw that affects applications using an HTML sanitizer where the <style> tag has been explicitly whitelisted. Typically, sanitizers remove potentially dangerous elements, but if <style> is allowed, an attacker can craft HTML content that, despite being sanitized, allows for script execution. For example, by using CSS expressions or embedding malicious @import rules, an attacker can bypass the sanitizer's intended security controls. This ultimately allows for the injection of arbitrary scripts, leading to Cross-Site Scripting (XSS) attacks. The default configuration is not affected as it implicitly disallows <style> tags, but custom configurations overriding this default introduce the risk.
What is the Impact of CVE-2020-26293?
Successful exploitation may allow attackers to inject arbitrary HTML and JavaScript, leading to Cross-Site Scripting (XSS). This can result in information disclosure, session hijacking, or defacement of the affected application.
What is the Exploitability of CVE-2020-26293?
Exploitation of this HTML injection vulnerability requires an attacker to submit specially crafted HTML content that includes malicious constructs within a <style> tag. The attack is remote, as it relies on sending malicious input to a web application. No authentication or special privileges are needed if the application processes untrusted user input. The critical prerequisite is that the application's HTML sanitizer must be explicitly configured to allow the <style> tag, as the default settings prevent this vulnerability. There are no other notable special conditions or constraints apart from this configuration requirement. Risk factors include web applications that permit users to submit rich HTML content and have customized their sanitizer settings to include the <style> tag, thereby deviating from more secure defaults.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26293?
About the Fix from Resolved Security
Available Upgrade Options
- HtmlSanitizer
- <5.0.372 → Upgrade to 5.0.372
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
- https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
- https://www.nuget.org/packages/HtmlSanitizer/
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
- https://osv.dev/vulnerability/GHSA-8j9v-h2vp-2hhv
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
- https://www.nuget.org/packages/HtmlSanitizer
- https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
- https://nvd.nist.gov/vuln/detail/CVE-2020-26293
- https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
What are Similar Vulnerabilities to CVE-2020-26293?
Similar Vulnerabilities: CVE-2023-44390 , CVE-2020-21665 , CVE-2020-13936 , CVE-2020-11022 , CVE-2020-11021
