CVE-2020-4054: Cross-site Scripting

June 16, 2020 (updated September 28, 2020)

In Sanitize (RubyGem sanitize) there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize’s relaxed config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist.

References

nvd.nist.gov/vuln/detail/CVE-2020-4054

Code Behaviors & Features

Detect and mitigate CVE-2020-4054 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →