Do your applications use this vulnerable package?
Test your applications
Overview
dompurify
is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.
You can read more about Insecure Defaults
on our blog.
Remediation
Upgrade dompurify
to version 0.3 or higher.
References
CVSS Score
6.5
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- cure53
- CWE
- CWE-79
- Snyk ID
- npm:dompurify:20140308
- Disclosed
- 07 Mar, 2014
- Published
- 24 Apr, 2017