CVE-2022-21169

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21169

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21169.json

Aliases

GHSA-grjp-4jmr-mjcw

Published

2022-09-26T05:15:10Z

Modified

2024-02-17T00:04:48.214897Z

Details

The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.

References

https://github.com/AhmedAdelFahim/express-xss-sanitizer/issues/4
https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER-3027443
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a
https://runkit.com/embed/w306l6zfm7tu

Affected packages

Git / github.com/AhmedAdelFahim/express-xss-sanitizer

Affected ranges

Type: GIT
Repo: https://github.com/AhmedAdelFahim/express-xss-sanitizer
Events: Introduced

0The exact introduced commit is unknown

Fixed

3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a

Type: GIT
Repo: https://github.com/ahmedadelfahim/express-xss-sanitizer
Events: Introduced

0The exact introduced commit is unknown

Fixed

a90ee0b5ac15fa1b300663d49d5b8b0d6f242d23

Affected versions

v1.*

v1.1.0

v1.1.1

v1.1.2