CVE-2020-7691 Security Vulnerability Issue
parithibang opened this issue · comments
With the latest version of jspdf:2.5.1 integrated into the project getting security vulnerability issue
CVE-2020-7691 EPSS: 0.17%CVSS: 6.1
In all versions of the package jspdf, it is possible to use <<script>script> in order to go over the filtering regex.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7691
- https://nvd.nist.gov/vuln/detail/CVE-2020-7691
Will there be a fix for this provided?
Hey @parithibang, copying my response from eKoopmans/html2pdf.js#677:
Thanks for the heads up!
The good news is that the
fromHTML
method reported in CVE-2020-7691 no longer exists in jsPDF:
- It was deprecated in 2018 and removed sometime after that
- It's not defined on a jsPDF object
- The replacement
html
method is actually just a clone ofhtmlpdf.js
(fun with recursion 🙃)
I think this should be safe to close, but I'll leave that to the judgment of @parallax.
This issue is stale because it has been open 90 days with no activity. It will be closed soon. Please comment/reopen if this issue is still relevant.