CVE-2021-23899

Published: Jan 13, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Affected (1)

Products: Owasp: Json Sanitizer

Owasp

1 product

Json Sanitizer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Owasp Json Sanitizer	Before 1.2.2

Related CWEs

CWE-611

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (6)

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

Source: cve@mitre.org

PatchThird Party Advisory

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

Source: cve@mitre.org

Third Party Advisory

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.