textract icon indicating copy to clipboard operation
textract copied to clipboard

Published 20 hours ago verified publisher icon dbashford

CVE-2021-21366

Open OlivierB-OB opened this issue 3 years ago • 5 comments

Hi,

A vulnerability has been reported on xmldom

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv

OlivierB-OB avatar Mar 15 '21 09:03 OlivierB-OB

Hi @dbashford ,

I'm wondering... any particular reason your specifying exact dependencies versions from your package.json? Allowing any compatible version would make your library forward compatible with these kind of fixes...

OlivierB-OB avatar Mar 31 '21 10:03 OlivierB-OB

Hi @dbashford Did you get chance to look into it and have an update?

prafullkulkarni avatar Apr 26 '21 06:04 prafullkulkarni

Hi @dbashford Did you get chance to look into it and have an update?

prafullkulkarni avatar Jun 07 '21 05:06 prafullkulkarni

Hi @dbashford Any update on this issue?

prafullkulkarni avatar Sep 14 '21 06:09 prafullkulkarni

Hi @dbashford Any specific reason, there is no update on this issue?

prafullkulkarni avatar Oct 08 '21 09:10 prafullkulkarni