Security Advisory

CVE-2021-26540

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-02-08 16:16:07

Last updated 2024-08-03 20:26:25

Assigner mitre

State PUBLISHED

Description

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/example.com".

← Browse all CVEs View on cve.org ↗