GHSA-gx9m-whjm-85jf

Suggest an improvement
Source
https://github.com/advisories/GHSA-gx9m-whjm-85jf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-gx9m-whjm-85jf/GHSA-gx9m-whjm-85jf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gx9m-whjm-85jf
Aliases
Related
Published
2024-10-11T17:27:29Z
Modified
2024-10-11T17:57:10.818749Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS Calculator
  • 7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:H CVSS Calculator
Summary
DOMpurify has a nesting-based mXSS
Details

DOMpurify was vulnerable to nesting-based mXSS

fixed by 0ef5e537 (2.x) and merge 943

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

References

Affected packages

npm / dompurify

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.0

npm / dompurify

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0
Fixed
3.1.3