Internationalized Domain Name (IDN) Bypass in Apostrophe Technologies sanitize-html
CVE-2021-26539 · MEDIUM Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Learn more about our Web Application Penetration Testing UK.