[GHSA-v2wj-7wpq-c8vv] DOMPurify contains a Cross-site Scripting vulnerability#7261
[GHSA-v2wj-7wpq-c8vv] DOMPurify contains a Cross-site Scripting vulnerability#7261
Conversation
There was a problem hiding this comment.
Pull request overview
Updates a GitHub-reviewed security advisory for GHSA-v2wj-7wpq-c8vv, primarily touching scoring metadata and references.
Changes:
- Removed the CVSS v3 score entry from the advisory severity list
- Removed a duplicate/broken reference URL
- Bumped the advisory
modifiedtimestamp
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "severity": [ | ||
| { | ||
| "type": "CVSS_V3", | ||
| "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
| }, | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" |
There was a problem hiding this comment.
PR description says "Updates - CVSS v3", but the diff removes the CVSS_V3 entry entirely. If the intent is to update CVSS v3, adjust/replace the v3 vector/score instead of deleting it; if the intent is to drop CVSS v3, please update the PR description accordingly.
| "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safeforxml" | ||
| } | ||
| ], | ||
| "database_specific": { |
There was a problem hiding this comment.
The PR description requests adding finder credit ("I would like to ask for credit as I was the finder"), but no credit/acknowledgements field appears to be added in this change. If credit is intended, add it in the appropriate advisory field (per this repo’s advisory schema/conventions), or update the PR description to reflect that credit is out-of-scope for this PR.
Updates
Comments
Fix broken link, and also I would like to ask for credit as I was the finder