Cross-Site Scripting in dompurify (GHSA-mjjq-c88q-qhr6)

Description

Versions of dompurify prior to 2.0.7 are vulnerable to Cross-Site Scripting (XSS). It is possible to bypass the package sanitization through Mutation XSS, which may allow an attacker to execute arbitrary JavaScript in a victim’s browser.

Recommendation

Update the dompurify package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.0.7
• Patched version(s): 2.0.7

References

• GHSA-mjjq-c88q-qhr6
• www.npmjs.com
• CWE-79
• OWASP 2021-A3

Related Issues

• Cross-Site Scripting in swagger-ui (GHSA-4f9m-pxwh-68hg) - Vulnerability
• Bootstrap Cross-site Scripting vulnerability (GHSA-7mvr-5x2g-wfc8) 2 - CVE-2018-14042
• Bootstrap Cross-site Scripting vulnerability (GHSA-4p24-vmcr-4gqj) - CVE-2016-10735
• bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) 2 - CVE-2018-20677

Tags:

npm

dompurify