CVE-2021-23899

EPSS 0.44%
Veröffentlicht 13.01.2021 16:15:14
Zuletzt bearbeitet 21.11.2024 05:52:01
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Owasp ≫ Json-sanitizer Version < 1.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.604

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e

Patch

Third Party Advisory

https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2

Patch

Third Party Advisory

https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-23899

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-23899

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-23899

EUVD