Описание
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| cacti | fixed | 1.2.26+ds1-1 | package | |
| cacti | fixed | 1.2.24+ds1-1+deb12u2 | bookworm | package |
| node-dompurify | fixed | 3.0.9+dfsg+~3.0.5-1 | package | |
| node-dompurify | fixed | 2.4.1+dfsg+~2.4.0-2+deb12u1 | bookworm | package |
Примечания
https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc (2.4.2)
Mark cacti/1.2.26+ds1-1 which is the version starting to depend on node-dompurify
and link purify.js instead of using the upstream version.
EPSS
Связанные уязвимости
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
DOMPurify vulnerable to tampering by prototype polution
Уязвимость JavaScript-библиотеки для безопасной очистки и защиты HTML-кода DOMPurify, связанная с неконтролируемым изменением атрибутов прототипа объекта, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
EPSS