Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Med] Access Restriction Bypass and Validation Bypass(due 4/12/21) #4379

Closed
lbeaufort opened this issue Feb 11, 2021 · 1 comment
Closed

[Snyk: Med] Access Restriction Bypass and Validation Bypass(due 4/12/21) #4379

lbeaufort opened this issue Feb 11, 2021 · 1 comment
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 14.3

Comments

@lbeaufort
Copy link
Member

lbeaufort commented Feb 11, 2021
edited
Loading

Vulnerable module: sanitize-html
Introduced through: sanitize-html@1.18.4
Fixed in: 2.3.1

Introduced through: fec-cms@1.0.0 › sanitize-html@1.18.4
Remediation: Upgrade to sanitize-html@2.3.1

Overview
sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis

Affected versions of this package are vulnerable to Access Restriction Bypass. Internationalized domain name (IDN) is not properly handled. This allows attackers to bypass hostname whitelist validation set by the allowedIframeHostnames option.

Read more: https://app.snyk.io/org/fecgov/project/2a97cddb-4b62-4d54-b18f-3b85d55a5e10/?fromGitHubAuth=true#issue-SNYK-JS-SANITIZEHTML-1070786
@lbeaufort lbeaufort added the Security: moderate Remediate within 60 days label Feb 11, 2021
@lbeaufort lbeaufort added this to the Sprint 14.3 milestone Feb 11, 2021
@lbeaufort lbeaufort changed the title [Snyk: Med] Access Restriction Bypass (due 4/12/21) [Snyk: Med] Access Restriction Bypass and Validation Bypass(due 4/12/21) Feb 11, 2021
This was referenced Feb 11, 2021
Closed
Closed
@patphongs patphongs mentioned this issue Feb 24, 2021
Closed
@hcaofec hcaofec mentioned this issue Mar 3, 2021
Closed
1 task
@patphongs patphongs mentioned this issue Mar 10, 2021
Closed
@lbeaufort lbeaufort mentioned this issue Mar 17, 2021
Closed
1 task
@lbeaufort
Copy link
Member Author

We removed sanitize-html with this PR: #4500

@pkfec pkfec mentioned this issue Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 14.3
Development

No branches or pull requests
1 participant
@lbeaufort