Lucene search
MichaΕ BentkowskiNODEJS:1205HistoryOct 04, 2019 - 7:21 p.m.
Cross-Site Scripting
2019-10-0419:21:25
MichaΕ Bentkowski
www.npmjs.com
21
EPSS
0.001
Percentile
47.0%
Overview
Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a>. This allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victimβs browser.
Recommendation
Upgrade to version 2.0.3 or later. You may also disallow <svg> and <math> through dompurify configurations:
FORBID_TAGS: ['svg', 'math']
});```
## References
- [Vulnerability Report by Securitum](https://research.securitum.com/dompurify-bypass-using-mxss/)
- [GitHub Advisory](https://github.com/advisories/GHSA-chqj-j4fh-rw7m)Related
osv
osv
CVE-2019-16728
2019-09-24 05:15:11
Cross-Site Scripting in dompurify
2020-08-28 21:25:11
dompurify.js - security update
2020-10-29 00:00:00
nodejs
nodejs
Cross-Site Scripting
2019-10-21 17:42:06
veracode
veracode
Cross-Site Scripting (XSS)
2019-09-25 06:02:37
nvd
nvd
CVE-2019-16728
2019-09-24 05:15:11
prion
prion
Cross site scripting
2019-09-24 05:15:00
ubuntucve
ubuntucve
CVE-2019-16728
2019-09-24 00:00:00
cvelist
cvelist
CVE-2019-16728
2019-09-24 04:02:09
debiancve
debiancve
CVE-2019-16728
2019-09-24 05:15:00
cve
cve
CVE-2019-16728
2019-09-24 05:15:11
github
github
Cross-Site Scripting in dompurify
2020-08-28 21:25:11
nessus
nessus
Debian DLA-2419-1 : dompurify.js security update
2020-10-30 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-2419-1)
2020-10-30 00:00:00
debian
debian
[SECURITY] [DLA 2419-1] dompurify.js security update
2020-10-29 16:03:08
githubexploit
githubexploit
Exploit for Path Traversal in Nazgul Nostromo Nhttpd
2019-10-15 09:22:36
