[
https://issues.apache.org/jira/browse/ATLAS-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084269#comment-18084269
]
ASF subversion and git services commented on ATLAS-5298:
--------------------------------------------------------
Commit 079e44c9e6d72819a4a89041f562f8528119f86a in atlas's branch
refs/heads/master from Brijesh Bhalala
[ https://gitbox.apache.org/repos/asf?p=atlas.git;h=079e44c9e ]
ATLAS-5298: Atlas-React UI: Fix Critical XSS Vulnerability in sanitize-html
dependency (#641)
> Atlas React UI: Fix Critical XSS Vulnerability in sanitize-html dependency
> --------------------------------------------------------------------------
>
> Key: ATLAS-5298
> URL: https://issues.apache.org/jira/browse/ATLAS-5298
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Affects Versions: 2.5.0
> Reporter: Brijesh Bhalala
> Assignee: Brijesh Bhalala
> Priority: Major
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> h4. *Problem*
> A critical security vulnerability has been identified in the
> {{sanitize-html}} library used in the project.
> Current affected versions:
> * {{sanitize-html <= 2.17.3}}
> Issue:
> * Vulnerability allows *Cross-Site Scripting (XSS)* via {{xmp}} raw-text
> passthrough handling.
> * This can potentially allow attackers to inject malicious scripts into
> sanitized HTML content.
> * Severity: *CRITICAL*
> This impacts any feature where user-generated HTML is sanitized before
> rendering.
> ----
> h4. *Impact*
> If exploited, this vulnerability may lead to:
> * Execution of malicious JavaScript in the browser
> * Session hijacking or token theft
> * UI manipulation / phishing attacks inside the application
> * Compromise of user data in frontend context
> ----
> h4. *Root Cause*
> The {{sanitize-html}} dependency allows unsafe handling of certain raw-text
> HTML tags (like {{{}xmp{}}}), leading to improper sanitization and script
> injection risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
