Description
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option.
Remediation
References
https://advisory.checkmarx.net/advisory/CX-2021-4308
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#231-2021-01-22
https://github.com/apostrophecms/sanitize-html/pull/458
Related Vulnerabilities
CVE-2021-27292 Vulnerability in npm package ua-parser-js
CVE-2020-2253 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2021-21141 Vulnerability in npm package electron
CVE-2022-24376 Vulnerability in npm package git-promise
CVE-2016-4055 Vulnerability in maven package org.webjars.bower:moment