Description
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com".
Remediation
References
https://advisory.checkmarx.net/advisory/CX-2021-4309
https://github.com/apostrophecms/sanitize-html/blob/main/CHANGELOG.md#232-2021-01-26
https://github.com/apostrophecms/sanitize-html/pull/460
Related Vulnerabilities
CVE-2017-16008 Vulnerability in npm package i18next
CVE-2020-28282 Vulnerability in npm package getobject
CVE-2020-8203 Vulnerability in maven package org.fujion.webjars:lodash
CVE-2022-37258 Vulnerability in npm package steal
CVE-2022-42890 Vulnerability in maven package org.apache.xmlgraphics:batik-script