CVE-2024-47875: DOMPurify nesting-based mXSS
First published: Fri Oct 11 2024(Updated: )
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/dompurify | >=3.0.0<3.1.3 | 3.1.3 |
| npm/dompurify | <2.5.0 | 2.5.0 |
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.2 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.1 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
- https://nvd.nist.gov/vuln/detail/CVE-2024-47875
- https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
- https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
- https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098
- https://github.com/advisories/GHSA-gx9m-whjm-85jf (Advisory)
- https://access.redhat.com/errata/RHSA-2024:8327
- https://access.redhat.com/errata/RHSA-2024:8678
- https://access.redhat.com/errata/RHSA-2024:8683
- https://access.redhat.com/errata/RHSA-2024:9473
- https://access.redhat.com/errata/RHSA-2024:8981
- https://access.redhat.com/errata/RHSA-2024:8991
- https://access.redhat.com/errata/RHSA-2024:9629
- https://access.redhat.com/errata/RHSA-2024:9620
- https://access.redhat.com/errata/RHSA-2024:10236
- https://bugzilla.redhat.com/show_bug.cgi?id=2318052
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-47875?
The severity of CVE-2024-47875 is classified as high due to its potential for cross-site scripting attacks.
How do I fix CVE-2024-47875?
To fix CVE-2024-47875, update DOMPurify to version 2.5.0 or 3.1.3 or later.
What type of vulnerability is CVE-2024-47875?
CVE-2024-47875 is a nesting-based mXSS vulnerability affecting the DOMPurify library.
What versions of DOMPurify are affected by CVE-2024-47875?
CVE-2024-47875 affects DOMPurify versions between 3.0.0 and 3.1.2, as well as versions below 2.5.0.
Is CVE-2024-47875 a critical vulnerability?
Yes, CVE-2024-47875 is considered a critical vulnerability due to the risk of executing malicious scripts.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gx9m-whjm-85jf
- alias/CVE-2024-47875
- agent/software-canonical-lookup
- agent/author
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- agent/last-modified-date
- agent/references
- agent/source
- agent/event
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- package-manager/npm
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query with cloud pak for data as a service
- version/ibm watson query with cloud pak for data as a service/2.2
- version/ibm watson query with cloud pak for data as a service/2.1
- version/ibm watson query with cloud pak for data as a service/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7