Description
Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">.
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.0.3
- Patched version(s): 2.0.3
References
- GHSA-chqj-j4fh-rw7m
- research.securitum.com
- www.npmjs.com
- lists.debian.org
- CVE-2019-16728
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Cross-Site Scripting in serialize-to-js - CVE-2019-16772
- Materialize-css vulnerable to Cross-site Scripting in autocomplete component (GHSA-7752-f4gf-94gc) - CVE-2019-11003
- Materialize-css vulnerable to Cross-site Scripting in tooltip component - CVE-2019-11002
- Materialize-css vulnerable to Cross-site Scripting in tooltip component (GHSA-98f7-p5rc-jx67) - CVE-2019-11002
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on September 13, 2023