CVE-2020-8923

EPSS 0.09%
Veröffentlicht 26.03.2020 12:15:12
Zuletzt bearbeitet 21.11.2024 05:39:41
Quelle cve-coordination@google.com
CVE-Watchlists
Login
Unerledigt
Login

An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dart ≫ Dart Software Development Kit Version < 2.7.2

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev0.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev1.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev10.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev11.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev12.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev13.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev14.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev15.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev16.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev2.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev3.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev4.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev5.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev6.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev7.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev8.0

Dart ≫ Dart Software Development Kit Version2.8.0 Updatedev9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.256

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
cve-coordination@google.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/dart-lang/sdk/security/advisories/GHSA-hfq3-v9pv-p627

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-8923

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8923

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8923

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-8923