Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/515775?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/515775?format=api", "purl": "pkg:deb/debian/ruby-sanitize@2.1.0-2%2Bdeb9u1", "type": "deb", "namespace": "debian", "name": "ruby-sanitize", "version": "2.1.0-2+deb9u1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.0.0-1.1+deb12u1", "latest_non_vulnerable_version": "6.0.0-1.1+deb12u1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45564?format=api", "vulnerability_id": "VCID-ay3g-dffw-2uc5", "summary": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nSanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in \"relaxed\" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that does not allow `style` elements, using a Sanitize config that does not allow CSS at-rules, or by manually escaping the character sequence `</` as `<\\/` in `style` element content.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36823", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62249", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62246", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62229", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62245", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00419", "scoring_system": "epss", "scoring_elements": "0.62256", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36823" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36823", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36823" }, { "reference_url": "https://github.com/rgrove/sanitize", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220" }, { "reference_url": "https://github.com/rgrove/sanitize/releases/tag/v6.0.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/releases/tag/v6.0.2" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-36823.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-36823.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00008.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041430", "reference_id": "1041430", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041430" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36823", "reference_id": "CVE-2023-36823", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36823" }, { "reference_url": "https://github.com/advisories/GHSA-f5ww-cq3m-q3g7", "reference_id": "GHSA-f5ww-cq3m-q3g7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f5ww-cq3m-q3g7" }, { "reference_url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7", "reference_id": "GHSA-f5ww-cq3m-q3g7", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7" }, { "reference_url": "https://usn.ubuntu.com/6748-1/", "reference_id": "USN-6748-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6748-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/510507?format=api", "purl": "pkg:deb/debian/ruby-sanitize@5.2.1-2%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-sjm6-6xqs-xqc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@5.2.1-2%252Bdeb11u1" } ], "aliases": [ "CVE-2023-36823", "GHSA-f5ww-cq3m-q3g7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ay3g-dffw-2uc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51425?format=api", "vulnerability_id": "VCID-fh6m-cggz-hqcm", "summary": "Cross-site scripting vulnerability via `<math>` or `<svg>` element in Sanitize\nWhen HTML is sanitized using Sanitize's \"relaxed\" config or a custom config that allows certain\nelements, some content in a `<math>` or `<svg>` element may not be sanitized correctly even if\n`math` and `svg` are not in the allowlist.\n\nYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom\nconfig that allows one or more of the following HTML elements:\n\n- `iframe`\n- `math`\n- `noembed`\n- `noframes`\n- `noscript`\n- `plaintext`\n- `script`\n- `style`\n- `svg`\n- `xmp`\n\n### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize,\npotentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is\nrendered in a browser.\n\n### Releases\n\nThis problem has been fixed in Sanitize 5.2.1.\n\n### Workarounds\n\nIf upgrading is not possible, a workaround is to override the default value of Sanitize's\n`:remove_contents` config option with the following value, which ensures that the contents of\n`math` and `svg` elements (among others) are removed entirely when those elements are not in the\nallowlist:\n\n```ruby\n%w[iframe math noembed noframes noscript plaintext script style svg xmp]\n```\n\nFor example, if you currently use Sanitize's relaxed config, you can create a custom config\nobject that overrides the default value of `:remove_contents` like this:\n\n```ruby\ncustom_config = Sanitize::Config.merge(\n Sanitize::Config::RELAXED,\n :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp]\n)\n```\n\nYou would then pass this custom config to Sanitize when sanitizing HTML.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-4054", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.6568", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.65627", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.65688", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.65669", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.65679", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00484", "scoring_system": "epss", "scoring_elements": "0.65691", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-4054" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4054", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4054" }, { "reference_url": "https://github.com/rgrove/sanitize", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9" }, { "reference_url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/releases/tag/v5.2.1" }, { "reference_url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2020-4054.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2020-4054.yml" }, { "reference_url": "https://usn.ubuntu.com/4543-1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://usn.ubuntu.com/4543-1" }, { "reference_url": "https://usn.ubuntu.com/4543-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4543-1/" }, { "reference_url": "https://www.debian.org/security/2020/dsa-4730", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2020/dsa-4730" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963808", "reference_id": "963808", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963808" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4054", "reference_id": "CVE-2020-4054", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4054" }, { "reference_url": "https://github.com/advisories/GHSA-p4x4-rw2p-8j8m", "reference_id": "GHSA-p4x4-rw2p-8j8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4x4-rw2p-8j8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/516391?format=api", "purl": "pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ay3g-dffw-2uc5" }, { "vulnerability": "VCID-fh6m-cggz-hqcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1" }, { "url": "http://public2.vulnerablecode.io/api/packages/510507?format=api", "purl": "pkg:deb/debian/ruby-sanitize@5.2.1-2%2Bdeb11u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-sjm6-6xqs-xqc2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@5.2.1-2%252Bdeb11u1" } ], "aliases": [ "CVE-2020-4054", "GHSA-p4x4-rw2p-8j8m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fh6m-cggz-hqcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39530?format=api", "vulnerability_id": "VCID-urxx-ddvx-sbh7", "summary": "HTML injection/XSS\nWhen sanitize is used in combination with libxml2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing attributes that are not specified in the allowlist to be used. This can allow HTML and JavaScript injection, which could result in XSS if the output is served to browsers.", "references": [ { "reference_url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released" }, { "reference_url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49872", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49863", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49881", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49833", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49852", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49809", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3740" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740" }, { "reference_url": "https://github.com/rgrove/sanitize", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/93feeb38e21864146bb29191792b971dbe1ec62e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/93feeb38e21864146bb29191792b971dbe1ec62e" }, { "reference_url": "https://github.com/rgrove/sanitize/issues/176", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/issues/176" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2018-3740.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2018-3740.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3740" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4358", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4358" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610", "reference_id": "893610", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610" }, { "reference_url": "https://security.archlinux.org/ASA-201807-1", "reference_id": "ASA-201807-1", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-201807-1" }, { "reference_url": "https://security.archlinux.org/AVG-726", "reference_id": "AVG-726", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-726" }, { "reference_url": "https://github.com/advisories/GHSA-7f42-p84j-f58p", "reference_id": "GHSA-7f42-p84j-f58p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7f42-p84j-f58p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/516391?format=api", "purl": "pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ay3g-dffw-2uc5" }, { "vulnerability": "VCID-fh6m-cggz-hqcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1" } ], "aliases": [ "CVE-2018-3740", "GHSA-7f42-p84j-f58p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-urxx-ddvx-sbh7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39530?format=api", "vulnerability_id": "VCID-urxx-ddvx-sbh7", "summary": "HTML injection/XSS\nWhen sanitize is used in combination with libxml2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing attributes that are not specified in the allowlist to be used. This can allow HTML and JavaScript injection, which could result in XSS if the output is served to browsers.", "references": [ { "reference_url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released" }, { "reference_url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49872", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49863", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49881", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49833", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49852", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00263", "scoring_system": "epss", "scoring_elements": "0.49809", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-3740" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3740" }, { "reference_url": "https://github.com/rgrove/sanitize", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e" }, { "reference_url": "https://github.com/rgrove/sanitize/commit/93feeb38e21864146bb29191792b971dbe1ec62e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/commit/93feeb38e21864146bb29191792b971dbe1ec62e" }, { "reference_url": "https://github.com/rgrove/sanitize/issues/176", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rgrove/sanitize/issues/176" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2018-3740.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2018-3740.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3740", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3740" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4358", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4358" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610", "reference_id": "893610", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893610" }, { "reference_url": "https://security.archlinux.org/ASA-201807-1", "reference_id": "ASA-201807-1", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-201807-1" }, { "reference_url": "https://security.archlinux.org/AVG-726", "reference_id": "AVG-726", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-726" }, { "reference_url": "https://github.com/advisories/GHSA-7f42-p84j-f58p", "reference_id": "GHSA-7f42-p84j-f58p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7f42-p84j-f58p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/515775?format=api", "purl": "pkg:deb/debian/ruby-sanitize@2.1.0-2%2Bdeb9u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ay3g-dffw-2uc5" }, { "vulnerability": "VCID-fh6m-cggz-hqcm" }, { "vulnerability": "VCID-urxx-ddvx-sbh7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@2.1.0-2%252Bdeb9u1" }, { "url": "http://public2.vulnerablecode.io/api/packages/516391?format=api", "purl": "pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ay3g-dffw-2uc5" }, { "vulnerability": "VCID-fh6m-cggz-hqcm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@4.6.6-2.1~deb10u1" } ], "aliases": [ "CVE-2018-3740", "GHSA-7f42-p84j-f58p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-urxx-ddvx-sbh7" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-sanitize@2.1.0-2%252Bdeb9u1" }