CVE-2020-7691 Security Vulnerability Issue
parithibang opened this issue · 2 comments
With the latest version of jspdf:2.5.1 integrated into the project getting security vulnerability issue
CVE-2020-7691 EPSS: 0.17%CVSS: 6.1
In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7691
https://nvd.nist.gov/vuln/detail/CVE-2020-7691
Will there be a fix for this provided?
Could you give us some steer on this @eKoopmans
Thanks for the heads up!
The good news is that the fromHTML method reported in CVE-2020-7691 no longer exists in jsPDF:
- It was deprecated in 2018 and removed sometime after that
- It's not defined on a jsPDF object
- The replacement
htmlmethod is actually just a clone ofhtmlpdf.js(fun with recursion 🙃)
Even if that method did still exist in jsPDF, we only use the methods addPage, addImage, output, and save.
I think this should be safe to close.