Insecure Defaults

Affecting dompurify package, versions <0.3

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.

You can read more about Insecure Defaults on our blog.

Remediation

Upgrade dompurify to version 0.3 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
cure53
CWE
CWE-79
Snyk ID
npm:dompurify:20140308
Disclosed
07 Mar, 2014
Published
24 Apr, 2017