CVE-2020-26870 (Medium) detected in dompurify-2.0.8.tgz

[mend-bolt-for-github[bot]]

CVE-2020-26870 - Medium Severity Vulnerability

Vulnerable Library - dompurify-2.0.8.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-2.0.8.tgz

Path to dependency file: verdaccio-github-oauth-ui/package.json

Path to vulnerable library: verdaccio-github-oauth-ui/node_modules/dompurify/package.json

Dependency Hierarchy: - verdaccio-4.10.0.tgz (Root Library) - readme-9.7.3.tgz - :x: **dompurify-2.0.8.tgz** (Vulnerable Library)

Found in HEAD commit: 99da7c55141cde3ee9a451a1dc45852574b194f8

Found in base branch: master

Vulnerability Details

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Publish Date: 2020-10-07

URL: CVE-2020-26870

CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26870

Release Date: 2020-10-07

Fix Resolution: 2.0.17

---

Step up your Open Source Security Game with WhiteSource here