Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk vulnerability from xmldom #246

Closed
shresthasamir4119 opened this issue Nov 3, 2021 · 2 comments
Closed

Snyk vulnerability from xmldom #246

shresthasamir4119 opened this issue Nov 3, 2021 · 2 comments

Comments

@shresthasamir4119
Copy link

xmldom XML External Entity (XXE) Injection
Introduced through: [email protected]
Fixed in: [email protected]

Introduced through: [email protected][email protected]

Overview
xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Does not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.
@dbauszus-glx
Copy link
Contributor

dbauszus-glx commented Jan 20, 2022
edited
Loading

This cannot be fixed by simply upgrading the dependency to 0.5.0.

Snyk has also identified issues in xmldom 0.6.0

The maintainer of xmldom is no longer able to publish to npm as xmldom but @xmldom/xmldom

The latest version of @xmldom/xmldom has no reported vulnerabilities but it is not possible to manually install this dependency prior to installing saml2-js. The dependency should be changed to @xmldom/xmldom for which the current version is 0.8.0.

There is already a pull request for this which needs to be released
#245

mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
f4e9daa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Updates xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
10754d4 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
bc010fb 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
2c313bc 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
deps: Update xmldom ^0.4.0 to @xmldom/xmldom ^0.8.3
9299ffa 
Closes #237, #232, #248, #246, #240, #234.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
6e9acf5 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
e8b6f34 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3715385 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
3a1e160 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
5ed056b 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
mcab added a commit that referenced this issue Oct 15, 2022
@mcab
4.0.0
cfb5ce4 
Updates some dependencies.

Closes #232, #234, #237, #240, #246, #248, #252.
@mcab
Copy link
Member

mcab commented Oct 15, 2022

Addressed in #261.

@mcab mcab closed this as completed Oct 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcab @dbauszus-glx @shresthasamir4119