Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2024-0017

Good to know:

icon
icon

Date: February 8, 2024

Insufficient checks in DOMPurify allows an attacker to bypass sanitizers and execute arbitrary JavaScript code. This issue affects versions before 2.5.8 and 3.x before 3.2.3.

Language: JS

Severity Score

Related Resources (4)

https://github.com/cure53/DOMPurify/releases/tag/2.5.8
https://github.com/cure53/DOMPurify/releases/tag/3.2.3
https://blog.slonser.info/posts/dompurify-dirty-namespace-bypass/
https://www.mend.io/vulnerability-database/WS-2024-0017

Severity Score

Weakness Type (CWE)

Heap-based Buffer Overflow

CWE-122

Top Fix

icon

Upgrade Version

Upgrade to version freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/lodash-4.17.21;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/dompurify-2.3.6;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/ws-7.5.3;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/jsdom-20.0.1;freepik-labs/dom-purify - no_fix;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/dompurify-2.3.9;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/jsdom-18.0.1;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/dompurify-2.3.0;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/jsdom-16.7.0;freepik-labs/dom-purify - 0.2.4;freepik-labs/dom-purify - dev-dependabot/npm_and_yarn/dompurify-2.3.4;nilsteampassnet/teampass - no_fix;nilsteampassnet/teampass - dev-add-license-1;nilsteampassnet/teampass - dev-development;nilsteampassnet/teampass - dev-master;nilsteampassnet/teampass - dev-teampass_3.0;kilyakus/yii2-template-engine - no_fix;anna-stupina38/cinema-project - no_fix;moonshine/moonshine - 3.0.0-beta.2;moonshine/moonshine - 3.0.1;moonshine/moonshine - dev-disable-outside-has-many;auspice - no_fix;zaoub/zaoub - 0.1;zaoub/zaoub - no_fix;zaoub/zaoub - dev-dependabot/npm_and_yarn/jquery-3.5.0;zaoub/zaoub - dev-dependabot/npm_and_yarn/lodash-4.17.19;dompurify - 3.2.3;dompurify - 2.5.8;dompurify - 3.2.3;moonshine/ui - 3.0.0-beta.2;bravedave/dvc - no_fix;nukeviet/nukeviet - no_fix;nukeviet/nukeviet - dev-nukeviet5;jxlwqq/simditor - 1.0.0;jxlwqq/simditor - no_fix;calven/simditor - no_fix;phpffcms/ffcms-assets - no_fix;tikiwiki/diagram - v24.4.0;hipdevteam/wpforms - 1.6.3;hipdevteam/wpforms - 1.9.1.1;francoisjacquet/rosariosis - no_fix;adesso-mobile/php-confluence-client - 0.1.0;levmyshkin/dom_purify - no_fix;shiguangxiaotou3/myweb - no_fix;devsfort/fortblog - no_fix;heycommunity/heycommunity-backend - dev-analysis-2221eB;heycommunity/heycommunity-backend - dev-fix/get-status-code;heycommunity/heycommunity-backend - dev-devs/composer-script;heycommunity/heycommunity-backend - dev-migration;dondominio/ddnotes - no_fix;maxiao64/simditor - no_fix;DatePickerOffsetTime - 1.0.4;ptadmin/admin - v0.0.2;Nfdi4Plants.Fornax.Template - no_fix;centreon/centreon - dev-MON-15376-fix-xss-security-vulnerabilities-in-color_picker.php;depage/htmlform - 1.4.0;Markdown2Pdf.Console - no_fix;org.webjars.bowergithub.cure53:dompurify:no_fix;org.webjars.bowergithub.cure53:dompurify:1.0.10;org.webjars.npm:cesium:1.80.0;org.webjars.npm:cesium:1.85.0;org.webjars.npm:dompurify:3.2.3;org.webjars.bowergithub.cesiumgs:cesium:no_fix;org.webjars.bower:dompurify:1.0.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us