Prototype Pollution
CVE-2022-21169

6.1MEDIUM

Key Information:

Vendor: Express Xss Sanitizer Project
Status: Express-xss-sanitizer
Vendor: CVE Published:; 26 September 2022

🔔 Create Express Xss Sanitizer Project Vulnerability Alert

What is CVE-2022-21169?

The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.

Affected Version(s)

express-xss-sanitizer < 1.1.3

References

https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER...

x_refsource_MISC

https://github.com/AhmedAdelFahim/express-xss-sanitizer/i...

x_refsource_MISC

https://runkit.com/embed/w306l6zfm7tu

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2022
Vulnerability Reserved
Feb 24, 2022

Credit

Jayateertha Guruprasad

JSON