Merge pull request #128 from AikidoSec/dompurify

new vulnerability in dompurify
AikidoSec · Jan 30, 2025 · ab69be5 · ab69be5
2 parents e11f0d5 + c7d888d
commit ab69be5
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/vulnerabilities/AIKIDO-2025-10062.json b/vulnerabilities/AIKIDO-2025-10062.json
@@ -0,0 +1,27 @@
+{
+  "package_name": "dompurify",
+  "patch_versions": [
+    "3.2.4"
+  ],
+  "vulnerable_ranges": [
+    [
+      "1.0.0",
+      "3.2.3"
+    ]
+  ],
+  "cwe": [
+    "CWE-79"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `DOMPurify.sanitize` function.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `dompurify` library to a patch version.",
+  "reporter": "",
+  "vulnerable_to": "Cross-site Scripting (XSS)",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "LOW",
+  "aikido_score": 16,
+  "changelog": "https://github.com/cure53/DOMPurify/releases/tag/3.2.4",
+  "last_modified": "2025-01-30",
+  "published": "2025-01-30"
+}