CVE-2023-44390
HTML injection vulnerability in HtmlSanitizer (NuGet)
What is CVE-2023-44390 About?
This HTML injection vulnerability affects configurations where foreign HTML content, specifically `svg` or `math` elements, along with certain comment or raw text elements, are allowed. An attacker can bypass sanitization to inject arbitrary HTML, including JavaScript, leading to Cross-Site Scripting (XSS). The vulnerability requires specific permissive configurations and can be easily exploited by crafting malicious input.
Affected Software
- HtmlSanitizer
- <8.0.723
- >8.1.0-beta, <8.1.722-beta
Technical Details
The vulnerability CVE-2023-44390 is an HTML injection flaw that allows attackers to bypass sanitization in specific configurations. It manifests when the application allows foreign elements (svg or math) and certain comment or raw text elements (iframe, noembed, xmp, title, noframes, style, or noscript). Additionally, an extra vulnerability path opens if any HTML integration element (title, desc, mi, mo, mn, ms, mtext, annotation-xml) is also allowed. These permissive configurations enable an attacker to craft input that, after passing through the sanitizer, results in arbitrary HTML injection. This includes the ability to embed JavaScript code, leading to DOM-based Cross-Site Scripting (XSS). The vulnerability leverages the interaction between these allowed element types to circumvent security controls designed to prevent script execution.
What is the Impact of CVE-2023-44390?
Successful exploitation may allow attackers to inject arbitrary HTML and JavaScript, leading to DOM-based Cross-Site Scripting (XSS). This can result in information disclosure, session hijacking, or defacement of the affected application.
What is the Exploitability of CVE-2023-44390?
Exploitation of this HTML injection vulnerability requires an attacker to provide user input containing specially crafted HTML that targets the permissive sanitizer configuration. The attack is remote, as it relies on injecting malicious content into user-controllable fields. No authentication or specific privileges are needed if the application accepts and processes untrusted user input with the vulnerable configuration. The main prerequisite is an application with a non-default configuration that explicitly allows both foreign content (like svg or math tags) and specific raw text or comment-like elements. Without these specific allowances, the vulnerability is not present. Risk factors include web applications that allow users to submit rich HTML content without proper sanitization, especially those with custom sanitizer configurations that diverge from default secure settings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-44390?
About the Fix from Resolved Security
Available Upgrade Options
- HtmlSanitizer
- <8.0.723 → Upgrade to 8.0.723
- HtmlSanitizer
- >8.1.0-beta, <8.1.722-beta → Upgrade to 8.1.722-beta
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mganss/HtmlSanitizer
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4
- https://osv.dev/vulnerability/GHSA-43cp-6p3q-2pc4
- https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e
- https://nvd.nist.gov/vuln/detail/CVE-2023-44390
- https://github.com/mganss/HtmlSanitizer/commit/ab29319866c020f0cc11e6b92228cd8039196c6e
- https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-43cp-6p3q-2pc4
What are Similar Vulnerabilities to CVE-2023-44390?
Similar Vulnerabilities: CVE-2020-26293 , CVE-2020-21665 , CVE-2020-13936 , CVE-2020-11022 , CVE-2020-11021
