Address CVE-2020-7691 ( very similar to CVE-2020-7690 ) #2971
Comments
|
I think this should in fact be fixed already. If not, it's an issue of Dompurify, the library we use to sanitize HTML strings. |
|
i believe you just need to update the optional dependency on dompurify to ^2.1.0 and update the lock file. if that sounds good i can make a pr for this |
|
@HackbrettXXX I see this issue is closed but https://nvd.nist.gov/vuln/detail/CVE-2020-7691 still says that all pdfjs versions are affected(which includes latest one as well) as opposed to https://nvd.nist.gov/vuln/detail/CVE-2020-7690 which mentions correctly that only versions < 2.0.0 are affected. |
|
Thanks, I'll look into that. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello!
This vulnerability is very similar to #2795 so I think it should be already fixed.
The fact is that gemnasium that is dependency scanner is warning about this issue:
+------------+----------------------------------------------------------------------------------+
| Severity | Medium |
| Identifier | CVE-2020-7691 |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2020-7691 |
| Scanner | gemnasium |
| Message | Cross-site Scripting in jspdf |
| Package | jspdf 2.1.1 |
| Solution | Unfortunately, there is no solution available yet. |
| Path | |
| File | yarn.lock |
+------------+----------------------------------------------------------------------------------+
And it is very similar to the one that was solved in the mentioned issue, so I don't know if there is something needed to do.
I did a test and it is working well here
If you could do a quick check I will appreciate it.
Thank you!
The text was updated successfully, but these errors were encountered: