Fluid Attacks Database

Description

DOMpurify has a nesting-based mXSS DOMpurify was vulnerable to nesting-based mXSS

Backporter should be aware of GHSA-mmhx-hmjr-r674 (CVE-2024-45801) when cherry-picking

POC is avaible under test

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	cacti	>=0 <1.2.26+ds1-1	1.2.26+ds1-1
debian 14	node-dompurify	>=0 <3.1.6+dfsg+~3.0.5-1	3.1.6+dfsg+~3.0.5-1
debian 11	cacti	=1.2.16+ds1-2 \|\| =1.2.16+ds1-2+deb11u1 \|\| =1.2.16+ds1-2+deb11u2 \|\| =1.2.16+ds1-2+deb11u3 \|\| =1.2.16+ds1-2+deb11u4 \|\| >=0 <1.2.16+ds1-2+deb11u5	1.2.16+ds1-2+deb11u5
debian 12	cacti	=1.2.24+ds1-1 \|\| =1.2.24+ds1-1+deb12u1 \|\| >=0 <1.2.24+ds1-1+deb12u2	1.2.24+ds1-1+deb12u2
debian 12	node-dompurify	=2.4.1+dfsg+~2.4.0-1 \|\| >=0 <2.4.1+dfsg+~2.4.0-2	2.4.1+dfsg+~2.4.0-2
debian 13	node-dompurify	>=0 <3.1.6+dfsg+~3.0.5-1	3.1.6+dfsg+~3.0.5-1
npm	dompurify	>=0 <2.5.0 \|\| >=3.0.0 <3.1.3	2.5.0, 3.1.3
rpm rhel9	grafana	<0:9.2.10-19.el9_4 \|\| >=0:10.2.6, <0:10.2.6-7.el9_5	0:10.2.6-7.el9_5
rpm rhel10	grafana	-	-
rpm rhel8	grafana	<0:9.2.10-20.el8_10	0:9.2.10-20.el8_10

1-10 of 11

Aliases

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.