Lucene search

GitHub Advisory DatabaseGHSA-8HGG-XXM5-3873

HistoryNov 14, 2023 - 9:30 p.m.

DOMPurify Open Redirect vulnerability

2023-11-1421:30:51

CWE-601

GitHub Advisory Database

github.com

dompurify

open redirect

vulnerability

demos

hooks-target-blank-demo.html

links

rel="noopener noreferrer

reverse tabnabbing

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

Low

EPSS

0.001

Percentile

17.0%

JSON

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a ‘rel=“noopener noreferrer”’ attribute.

Affected configurations

Vulners

Node

cure53dompurifyRange<1.0.11

VendorProductVersionCPE
cure53dompurify*cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cure53	dompurify	*	cpe:2.3:a:cure53:dompurify::::::::

References

github.com/advisories/GHSA-8hgg-xxm5-3873

github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83

github.com/cure53/DOMPurify/compare/1.0.10...1.0.11

github.com/cure53/DOMPurify/pull/337

nvd.nist.gov/vuln/detail/CVE-2019-25155

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

Low

EPSS

0.001

Percentile

17.0%

JSON

Related for GHSA-8HGG-XXM5-3873