DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
WS-2023-0007 - Medium Severity Vulnerability
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dompurify/package.json
Dependency Hierarchy: - docsify-cli-4.4.1.tgz (Root Library) - docsify-server-renderer-4.11.6.tgz - :x: **dompurify-2.1.1.tgz** (Vulnerable Library)
Found in base branch: main
dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines.
Publish Date: 2024-11-03
URL: WS-2023-0007
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-h6p3-p4vx-wr8q
Release Date: 2023-01-12
Fix Resolution (dompurify): 2.2.3
Direct dependency fix Resolution (docsify-cli): 4.4.2