Description
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
Remediation
References
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a
https://github.com/AhmedAdelFahim/express-xss-sanitizer/issues/4
https://runkit.com/embed/w306l6zfm7tu
https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER-3027443
Related Vulnerabilities
CVE-2021-21388 Vulnerability in npm package systeminformation
CVE-2018-12544 Vulnerability in maven package io.vertx:vertx-web-api-contract
CVE-2020-15174 Vulnerability in npm package electron
CVE-2016-1000342 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on
CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on