xmldom@0.1.15 vulnerabilities

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

latest version

0.6.0
first published

13 years ago
latest version published

4 years ago
licenses detected
- (MIT OR LGPL-2.0)
  >=0.1.15
View xmldom package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the xmldom package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Improper Input Validation xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Improper Input Validation due to parsing XML that is not well-formed, and contains multiple top-level elements. All the root nodes are being added to the `childNodes` collection of the `Document`, without reporting or throwing any error. How to fix Improper Input Validation? There is no fixed version for `xmldom`.	*
H Prototype Pollution xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Prototype Pollution through the `copy()` function in `dom.js`. Exploiting this vulnerability is possible via the `p` variable. DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package. See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability. How to fix Prototype Pollution? There is no fixed version for `xmldom`.	>=0.0.0
M Improper Input Validation xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Improper Input Validation. It does not correctly escape special characters when serializing elements are removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Note: Customers who use "xmldom" package, should use "@xmldom/xmldom" instead, as "xmldom" is no longer maintained. How to fix Improper Input Validation? There is no fixed version for `xmldom`.	*
M XML External Entity (XXE) Injection xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Does not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. How to fix XML External Entity (XXE) Injection? Upgrade `xmldom` to version 0.5.0 or higher.	<0.5.0

Go back to all versions of this package

xmldom@0.1.15 vulnerabilities

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities