Source: node-sanitize-html Version: 2.8.0+~2.6.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/apostrophecms/sanitize-html/pull/650 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-sanitize-html. CVE-2024-21501[0]: | Versions of the package sanitize-html before 2.12.1 are vulnerable | to Information Exposure when used on the backend and with the style | attribute allowed, allowing enumeration of files in the system | (including project dependencies). An attacker could exploit this | vulnerability to gather details about the file system structure and | dependencies of the targeted server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21501 https://www.cve.org/CVERecord?id=CVE-2024-21501 [1] https://github.com/apostrophecms/sanitize-html/pull/650 [2] https://github.com/apostrophecms/sanitize-html/commit/075499d1b98c387f4200fd59972ca9b15796b51b Regards, Salvatore
