First published: Mon Sep 16 2024(Updated: )
DOMPurify could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in depth check. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/dompurify | >=3.0.0<3.1.3 | 3.1.3 |
npm/dompurify | <2.5.4 | 2.5.4 |
IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
IBM Watson Query with Cloud Pak for Data | <=2.2 | |
IBM Watson Query with Cloud Pak for Data | <=2.1 | |
IBM Watson Query with Cloud Pak for Data | <=2.0 | |
IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
IBM Data Virtualization on Cloud Pak for Data | <=1.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-45801 is considered a high severity vulnerability due to its potential for XSS exploitation.
To fix CVE-2024-45801, update DOMPurify to version 3.1.3 or later, or to version 2.5.4 if using an earlier version.
CVE-2024-45801 allows attackers to bypass depth checking, leading to potential XSS attacks.
CVE-2024-45801 affects users of DOMPurify versions between 3.0.0 and 3.1.3 and those using versions up to 2.5.4.
DOMPurify is an XSS sanitizer for HTML, MathML, and SVG that is affected by CVE-2024-45801 due to a vulnerability in its nesting depth mechanisms.