Description
Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.0.3
- Patched version(s): 2.0.3
References
- GHSA-chqj-j4fh-rw7m
- research.securitum.com
- www.npmjs.com
- lists.debian.org
- CVE-2019-16728
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Firebase vulnerable to CRSF attack - CVE-2024-4128
- mavo DOM Clobbering vulnerability - CVE-2024-53388
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- DOMpurify has a nesting-based mXSS - CVE-2024-47875
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 13, 2023