logo

Database

Reflected cross-site scripting (XSS) In dompurify

Description

Cross-Site Scripting in dompurify Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of <svg>/<math> elements and </p>/</br>. An example payload is: <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">. This allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 2.0.3 or later. You may also disallow <svg> and <math> through dompurify configurations:

     FORBID_TAGS: ['svg', 'math']
 });```

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-167282. NVD-2019-167283. OSV-2019-167284. GCVE-2019-167285. lists.debian.org

References

1. https://research.securitum.com/dompurify-bypass-using-mxss2. https://www.npmjs.com/advisories/1205

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.