Source: prototypejs Version: 1.7.1-3.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.7.1-3
Hi, The following vulnerability was published for prototypejs. CVE-2020-27511[0]: | An issue was discovered in the stripTags and unescapeHTML components | in Prototype 1.7.3 where an attacker can cause a Regular Expression | Denial of Service (ReDOS) through stripping crafted HTML tags. Basically this bug is just to track the issue downstream for us in Debian. Though upstream's last release was several years ago in 2015, so I wonder if post-bullseye release this bug severity should be raised to RC. There are many (build)-rdeps on it so this cannot simply be removed from the archive. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-27511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27511 [1] https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md Regards, Salvatore
