CVE-2019-16728 (Medium) detected in dompurify-1.0.10.tgz

[mend-for-github-com]

CVE-2019-16728 - Medium Severity Vulnerability

Vulnerable Library - dompurify-1.0.10.tgz

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

Library home page: https://registry.npmjs.org/dompurify/-/dompurify-1.0.10.tgz

Path to dependency file: /tmp/ws-scm/logz-docs/package.json

Path to vulnerable library: /tmp/ws-scm/logz-docs/node_modules/dompurify/package.json

Dependency Hierarchy:

• redoc-2.0.0-rc.8-1.tgz (Root Library)
  • ❌ dompurify-1.0.10.tgz (Vulnerable Library)

Found in HEAD commit: fb7bb0f50f982132eca8f7a88b515f9578dea8e0

Vulnerability Details

DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

Publish Date: 2019-09-24

URL: CVE-2019-16728

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16728

Release Date: 2019-09-24

Fix Resolution: 2.0.1

[imnotashrimp]

Fixed in package-lock.json. Closing.

    "dompurify": {
      "version": "2.0.7",
      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.0.7.tgz",