6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23627

GHSA ID

GHSA-fw3g-2h3j-qmm7

EPSS Score

0.52826%

CWE

CWE-79

Published

1/28/2023

Updated

2/13/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-23627

CVE-2023-23627: Improper neutralization of `noscript` element content may allow XSS in Sanitize

Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize >= 5.0.0, < 6.0.1 when Sanitize is configured with a custom allowlist that allows noscript elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.

Sanitize's default configs don't allow noscript elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

Patches

Sanitize >= 6.0.1 always removes noscript elements and their contents, even when noscript is in the allowlist.

Workarounds

Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include noscript in the element allowlist.

Details

The root cause of this issue is that HTML parsing rules treat the contents of a noscript element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a noscript element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.

References

Release Notes

Credit

Thanks to David Klein from TU Braunschweig (@leeN) for reporting this issue.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23627

GHSA ID

GHSA-fw3g-2h3j-qmm7

EPSS Score

0.52826%

CWE

CWE-79

Published

1/28/2023

Updated

2/13/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sanitize	rubygems	>= 5.0.0, < 6.0.1	6.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the fact that the CleanElement transformer (in clean_element.rb) did not account for the parsing discrepancy between Nokogiri (scripting-disabled mode) and browsers (scripting-enabled mode). The commit diff shows the addition of explicit noscript handling to forcibly remove these elements, indicating that the call method in this transformer was the point of failure. The tests added in test_clean_element.rb and test_malicious_html.rb confirm that allowing noscript in configs previously caused vulnerabilities, and the fix explicitly addresses this in the transformer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Usin* **r**ully *r**t** input, *n *tt**k*r m*y ** **l* to sn**k *r*itr*ry *TML t*rou** S*nitiz* `>= *.*.*, < *.*.*` w**n S*nitiz* is *on*i*ur** wit* * *ustom *llowlist t**t *llows `nos*ript` *l*m*nts. T*is *oul* r*sult in XSS (*ross-sit*

Reasoning

T** vuln*r**ility st*ms *rom t** ***t t**t t** `*l**n*l*m*nt` tr*ns*orm*r (in *l**n_*l*m*nt.r*) *i* not ***ount *or t** p*rsin* *is*r*p*n*y **tw**n Noko*iri (s*riptin*-*is**l** mo**) *n* *rows*rs (s*riptin*-*n**l** mo**). T** *ommit *i** s*ows t** **

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-23627: Improper neutralization of `noscript` element content may allow XSS in Sanitize

Impact

Patches

Workarounds

Details

References

Credit

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI