CVE-2021-23648

Published: Mar 16, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

Affected (4)

Products: Paypal: Braintree/sanitize Url · Fedoraproject: Fedora

1 product

Braintree/sanitize Url

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Paypal Braintree/sanitize Url	Before 6.0.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (14)

https://github.com/braintree/sanitize-url/blob/main/src/index.ts%23L11

Source: report@snyk.io

Broken Link

https://github.com/braintree/sanitize-url/pull/40

Source: report@snyk.io

Issue TrackingPatchThird Party Advisory

https://github.com/braintree/sanitize-url/pull/40/commits/e5afda45d9833682b705f73fc2c1265d34832183

Source: report@snyk.io

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/

Source: report@snyk.io

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/

Source: report@snyk.io

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/

Source: report@snyk.io

https://snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-2339882

Source: report@snyk.io

ExploitPatchThird Party Advisory

https://github.com/braintree/sanitize-url/blob/main/src/index.ts%23L11

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://github.com/braintree/sanitize-url/pull/40

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/braintree/sanitize-url/pull/40/commits/e5afda45d9833682b705f73fc2c1265d34832183

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://snyk.io/vuln/SNYK-JS-BRAINTREESANITIZEURL-2339882

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.