CVE-2024-47875 - Cross Site Scripting (XSS)

Abstract

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.

The Oxygen products incorporate DOMPurify as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

Mitigation

None

Detail

CVE-2024-47875

Severity: Critical

CVSS Score: 10.0

The DOMPurify third-party library used by Oxygen XML products is among the affected version mentioned in CVE-2024-47875 vulnerability description. However, DOMPurify features used in Oxygen Feedback are not publicly accessible.

DOMPurify is used in various user-facing components of Oxygen XML WebHelp for data sanitization. However, Oxygen XML WebHelp also implements other layers of user input data sanitization.

For that reason Oxygen products are not affected by this vulnerability.

Revision History

2025-06-03 Starting with Oxygen XML Author version 26.1 build 2025060207, the DOMPurify was updated to version 3.2.4, which includes a fix for CVE-2024-47875.

2025-06-03 Starting with Oxygen XML Editor version 26.1 build 2025060207, the DOMPurify was updated to version 3.2.4, which includes a fix for CVE-2024-47875.

2025-06-03 Starting with Oxygen Publishing Engine version 26.1 build 2025053100, the DOMPurify was updated to version 3.2.4, which includes a fix for CVE-2024-47875.

2025-06-03 Starting with Oxygen XML WebHelp version 26.1 build 2025053008, the DOMPurify was updated to version 3.2.4, which includes a fix for CVE-2024-47875.