Description
The package express-xss-sanitizer before 1.1.3 are vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
Remediation
References
https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/3bf8aaaf4dbb1c209dcb8d87a82711a54c1ab39a
https://github.com/AhmedAdelFahim/express-xss-sanitizer/issues/4
https://security.snyk.io/vuln/SNYK-JS-EXPRESSXSSSANITIZER-3027443
https://runkit.com/embed/w306l6zfm7tu
Related Vulnerabilities
CVE-2022-39368 Vulnerability in maven package org.eclipse.californium:scandium
CVE-2021-32660 Vulnerability in npm package techdocs-common
CVE-2011-2093 Vulnerability in maven package com.adobe.blazeds:flex-messaging-core
CVE-2016-6796 Vulnerability in maven package org.apache.tomcat:tomcat-jasper
CVE-2022-29219 Vulnerability in npm package @chainsafe/lodestar