DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 19 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat acm
CPEs cpe:/a:redhat:acm:2.11::el9
Vendors & Products Redhat acm

Wed, 04 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ansible Automation Platform
CPEs cpe:/a:redhat:ansible_automation_platform:2.4::el8
cpe:/a:redhat:ansible_automation_platform:2.4::el9
Vendors & Products Redhat ansible Automation Platform

Tue, 22 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat network Observ Optr
CPEs cpe:/a:redhat:network_observ_optr:1.7.0::el9
Vendors & Products Redhat network Observ Optr

Tue, 08 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat cryostat
CPEs cpe:/a:redhat:cryostat:3::el8
Vendors & Products Redhat cryostat

Thu, 03 Oct 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat logging
CPEs cpe:/a:redhat:logging:5.9::el9
Vendors & Products Redhat
Redhat logging

Tue, 17 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 16 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
Description DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Title Tampering by prototype polution in DOMPurify
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-16T18:25:28.065Z

Updated: 2024-09-16T20:04:47.181Z

Reserved: 2024-09-09T14:23:07.503Z

Link: CVE-2024-45801

cve-icon Vulnrichment

Updated: 2024-09-16T20:04:40.596Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-16T19:16:11.080

Modified: 2024-09-20T12:31:20.110

Link: CVE-2024-45801

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-16T19:16:11Z

Links: CVE-2024-45801 - Bugzilla