Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-26293

Good to know:

icon
icon

Date: January 4, 2021

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.

Language: C#

Severity Score

Related Resources (7)

https://github.com/mganss/HtmlSanitizer/commit/a3a7602a44d4155d51ec0fbbedc2a49e9c7e2eb8
https://nvd.nist.gov/vuln/detail/CVE-2020-26293
https://www.nuget.org/packages/HtmlSanitizer
https://github.com/mganss/HtmlSanitizer/releases/tag/v5.0.372
https://www.nuget.org/packages/HtmlSanitizer/
https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-8j9v-h2vp-2hhv
https://www.mend.io/vulnerability-database/CVE-2020-26293

Severity Score

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Injection

CWE-74

Top Fix

icon

Upgrade Version

Upgrade to version HtmlSanitizer - 5.0.372

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us