CVE-2024-21501 — MEDIUM (5.3)

Q: How severe is CVE-2024-21501?

CVE-2024-21501 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-21501?

Check the references section above for vendor advisories and patch information. Affected products include: Apostrophecms Sanitize-Html, Fedoraproject Fedora.

Vulnerability Description

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apostrophecms	Sanitize-Html	< 2.12.1
Fedoraproject	Fedora	39

Related Weaknesses (CWE)

CWE-538 CWE-200

References

https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cfExploitThird Party Advisory
https://github.com/apostrophecms/apostrophe/discussions/4436Issue Tracking
https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea3Patch
https://github.com/apostrophecms/sanitize-html/pull/650Patch
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557ExploitThird Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-6256334ExploitThird Party Advisory
https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cfExploitThird Party Advisory
https://github.com/apostrophecms/apostrophe/discussions/4436Issue Tracking
https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea3Patch
https://github.com/apostrophecms/sanitize-html/pull/650Patch
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-6276557ExploitThird Party Advisory

FAQ

What is CVE-2024-21501?

CVE-2024-21501 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (i...

How severe is CVE-2024-21501?

CVE-2024-21501 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-21501?

Check the references section above for vendor advisories and patch information. Affected products include: Apostrophecms Sanitize-Html, Fedoraproject Fedora.