Description
DOMpurify was vulnerable to nesting-based mXSS
fixed by 0ef5e537 (2.x) and merge 943
Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking
POC is avaible under test
Recommendation
Update the dompurify package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.1.3 < 2.5.0** Patched version(s): **3.1.3 2.5.0**
References
Related Issues
- Cross-Site Scripting in html-pages - CVE-2018-16481
- DOMPurify vulnerable to tampering by prototype polution - CVE-2024-48910
- DOMPurify allows tampering by prototype pollution - CVE-2024-45801
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- Tags:
- npm
- dompurify
Anything's wrong? Let us know Last updated on October 11, 2024