[
https://issues.apache.org/jira/browse/ATLAS-5298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brijesh Bhalala updated ATLAS-5298:
-----------------------------------
Summary: Atlas React UI - Fix Critical XSS Vulnerability in sanitize-html
dependency (was: Fix Critical XSS Vulnerability in sanitize-html dependency)
> Atlas React UI - Fix Critical XSS Vulnerability in sanitize-html dependency
> ---------------------------------------------------------------------------
>
> Key: ATLAS-5298
> URL: https://issues.apache.org/jira/browse/ATLAS-5298
> Project: Atlas
> Issue Type: Task
> Components: atlas-core
> Affects Versions: 2.5.0
> Reporter: Brijesh Bhalala
> Assignee: Brijesh Bhalala
> Priority: Major
>
> h4. *Problem*
> A critical security vulnerability has been identified in the
> {{sanitize-html}} library used in the project.
> Current affected versions:
> * {{sanitize-html <= 2.17.3}}
> Issue:
> * Vulnerability allows *Cross-Site Scripting (XSS)* via {{xmp}} raw-text
> passthrough handling.
> * This can potentially allow attackers to inject malicious scripts into
> sanitized HTML content.
> * Severity: *CRITICAL*
> This impacts any feature where user-generated HTML is sanitized before
> rendering.
> ----
> h4. *Impact*
> If exploited, this vulnerability may lead to:
> * Execution of malicious JavaScript in the browser
> * Session hijacking or token theft
> * UI manipulation / phishing attacks inside the application
> * Compromise of user data in frontend context
> ----
> h4. *Root Cause*
> The {{sanitize-html}} dependency allows unsafe handling of certain raw-text
> HTML tags (like {{{}xmp{}}}), leading to improper sanitization and script
> injection risk.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
