CVE-2023-36823: 
Ruby vulnerability analysis and mitigation

Sanitize, an allowlist-based HTML and CSS sanitizer, was found to contain a security vulnerability (CVE-2023-36823) affecting versions 3.0.0 through 6.0.1. The vulnerability was discovered and disclosed in July 2023, impacting systems using Sanitize with either the built-in "relaxed" config or custom configurations that allow style elements and CSS at-rules (GitHub Advisory).

The vulnerability stems from insufficient neutralization of style element content, which could allow attackers to bypass HTML and CSS sanitization controls. When using Sanitize's relaxed configuration or custom configs that permit style elements and CSS at-rules, carefully crafted input could be used to inject arbitrary HTML and CSS through the sanitization process (GitHub Release).

If exploited, this vulnerability could result in cross-site scripting (XSS) attacks or other undesired behavior when malicious HTML and CSS are rendered in a browser. The impact is particularly significant for applications that rely on Sanitize for content sanitization and use either the built-in relaxed configuration or custom configurations allowing style elements (Debian LTS).

The issue has been fixed in Sanitize version 6.0.2, which implements additional escaping of CSS in style element content. For users unable to upgrade, alternative mitigations include using a Sanitize config that doesn't allow style elements, using a config that doesn't allow CSS at-rules, or manually escaping the character sequence (GitHub Advisory).