{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-4054","title":"Title"},{"category":"description","text":"In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's \"relaxed\" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-4054","url":"https://www.suse.com/security/cve/CVE-2020-4054"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1173255 for CVE-2020-4054","url":"https://bugzilla.suse.com/1173255"}],"title":"SUSE CVE CVE-2020-4054","tracking":{"current_release_date":"2025-04-25T05:47:25Z","generator":{"date":"2023-02-15T04:03:25Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-4054","initial_release_date":"2023-02-15T04:03:25Z","revision_history":[{"date":"2023-02-15T04:03:25Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:57:59Z","number":"3","summary":"Current version"},{"date":"2025-02-15T06:35:15Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:58:07Z","number":"5","summary":"Current version"},{"date":"2025-03-15T10:16:15Z","number":"6","summary":"Current version"},{"date":"2025-04-25T05:47:25Z","number":"7","summary":"Current version"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15","product":{"name":"SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp2"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 6-LTSS","product":{"name":"SUSE OpenStack Cloud 6-LTSS","product_id":"SUSE OpenStack Cloud 6-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-ltss:6"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 7","product":{"name":"SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:7"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"ruby2.1-rubygem-rails-html-sanitizer","product":{"name":"ruby2.1-rubygem-rails-html-sanitizer","product_id":"ruby2.1-rubygem-rails-html-sanitizer","product_identification_helper":{"cpe":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby2.1-rubygem-rails-html-sanitizer@?upstream=rubygem-rails-html-sanitizer.src.rpm"}}},{"category":"product_version","name":"ruby2.5-rubygem-rails-html-sanitizer","product":{"name":"ruby2.5-rubygem-rails-html-sanitizer","product_id":"ruby2.5-rubygem-rails-html-sanitizer","product_identification_helper":{"cpe":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/ruby2.5-rubygem-rails-html-sanitizer@?upstream=rubygem-rails-html-sanitizer.src.rpm"}}},{"category":"product_version","name":"rubygem-rails-html-sanitizer","product":{"name":"rubygem-rails-html-sanitizer","product_id":"rubygem-rails-html-sanitizer","product_identification_helper":{"cpe":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","purl":"pkg:rpm/suse/rubygem-rails-html-sanitizer@"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.5-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.5-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.5-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud 6-LTSS","product_id":"SUSE OpenStack Cloud 6-LTSS:ruby2.1-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.1-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud 6-LTSS"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud 6-LTSS","product_id":"SUSE OpenStack Cloud 6-LTSS:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud 6-LTSS"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:ruby2.1-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.1-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.1-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-rails-html-sanitizer"},"product_reference":"ruby2.1-rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rails-html-sanitizer as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:rubygem-rails-html-sanitizer"},"product_reference":"rubygem-rails-html-sanitizer","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2020-4054","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-4054"}],"notes":[{"category":"general","text":"In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's \"relaxed\" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-rails-html-sanitizer","SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-rails-html-sanitizer","SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-rails-html-sanitizer","SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-rails-html-sanitizer","SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-rails-html-sanitizer","SUSE Linux Enterprise High Availability Extension 15:rubygem-rails-html-sanitizer","SUSE OpenStack Cloud 6-LTSS:ruby2.1-rubygem-rails-html-sanitizer","SUSE OpenStack Cloud 6-LTSS:rubygem-rails-html-sanitizer","SUSE OpenStack Cloud 7:ruby2.1-rubygem-rails-html-sanitizer","SUSE OpenStack Cloud 7:rubygem-rails-html-sanitizer","SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-rails-html-sanitizer","SUSE OpenStack Cloud Crowbar 8:rubygem-rails-html-sanitizer","SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-rails-html-sanitizer","SUSE OpenStack Cloud Crowbar 9:rubygem-rails-html-sanitizer"]},"references":[{"category":"external","summary":"CVE-2020-4054","url":"https://www.suse.com/security/cve/CVE-2020-4054"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1173255 for CVE-2020-4054","url":"https://bugzilla.suse.com/1173255"}],"threats":[{"category":"impact","date":"2020-06-17T02:00:56Z","details":"moderate"}],"title":"CVE-2020-4054"}]}