Internationalized Domain Name (IDN) Bypass in Apostrophe Technologies sanitize-html

Internationalized Domain Name (IDN) Bypass in Apostrophe Technologies sanitize-html

CVE-2021-26539 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.

Learn more about our Web Application Penetration Testing UK.