SCA: security update for sanitize (GHSA-f5ww-cq3m-q3g7)

medium Tenable Self-Hosted Container Security Plugin ID 414305

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be
able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version
6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that
allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other
undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs
additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to
upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a
Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as
`<\/` in `style` element content. (CVE-2023-36823)

See Also

https://github.com/advisories/GHSA-f5ww-cq3m-q3g7

Plugin Details

Severity: Medium

ID: 414305

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-36823

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/6/2023

Vulnerability Publication Date: 7/6/2023

Reference Information

CVE: CVE-2023-36823

cwe: CWE-79