Home > Vulnerability Database > CVE-2024-21501

Mend.io Vulnerability Database

CVE-2024-21501

Good to know:

Date: February 24, 2024

Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.

Language: JS

Severity Score

5.3

Related Resources (6)

Url: https://github.com/apostrophecms/sanitize-html/pull/650

Url: https://github.com/apostrophecms/sanitize-html/commit/c5dbdf77fe8b836d3bf4554ea39edb45281ec0b4

Url: https://github.com/apostrophecms/apostrophe/discussions/4436

Url: https://gist.github.com/Slonser/8b4d061abe6ee1b2e10c7242987674cf

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-21501

Url: https://www.mend.io/vulnerability-database/CVE-2024-21501

Severity Score

5.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version sanitize-html - 2.12.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-21501

Good to know:

Date: February 24, 2024

Language: JS

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?