Brijesh Bhalala created ATLAS-5298:
--------------------------------------
Summary: Fix Critical XSS Vulnerability in sanitize-html dependency
Key: ATLAS-5298
URL: https://issues.apache.org/jira/browse/ATLAS-5298
Project: Atlas
Issue Type: Task
Components: atlas-core
Affects Versions: 2.5.0
Reporter: Brijesh Bhalala
Assignee: Brijesh Bhalala
h4. *Problem*
A critical security vulnerability has been identified in the {{sanitize-html}}
library used in the project.
Current affected versions:
* {{sanitize-html <= 2.17.3}}
Issue:
* Vulnerability allows *Cross-Site Scripting (XSS)* via {{xmp}} raw-text
passthrough handling.
* This can potentially allow attackers to inject malicious scripts into
sanitized HTML content.
* Severity: *CRITICAL*
This impacts any feature where user-generated HTML is sanitized before
rendering.
----
h4. *Impact*
If exploited, this vulnerability may lead to:
* Execution of malicious JavaScript in the browser
* Session hijacking or token theft
* UI manipulation / phishing attacks inside the application
* Compromise of user data in frontend context
----
h4. *Root Cause*
The {{sanitize-html}} dependency allows unsafe handling of certain raw-text
HTML tags (like {{{}xmp{}}}), leading to improper sanitization and script
injection risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
