Vulnerability Description
html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has been fixed in 2.4.2.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b8
- https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-f
- https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b8
- https://github.com/matthiask/html-sanitizer/security/advisories/GHSA-wvhx-q427-f
- https://lists.debian.org/debian-lts-announce/2024/08/msg00000.html
FAQ
What is CVE-2024-34078?
CVE-2024-34078 is a vulnerability with a CVSS score of 6.1 (MEDIUM). html-sanitizer is an allowlist-based HTML cleaner. If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some unicode chara...
How severe is CVE-2024-34078?
CVE-2024-34078 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34078?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.