CVE-2021-32796

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Configurations

Configuration 1 (hide)

cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
References () https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - Patch, Third Party Advisory () https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - Patch, Third Party Advisory
References () https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - Third Party Advisory () https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - Third Party Advisory
References () https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - Not Applicable, Third Party Advisory () https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - Not Applicable, Third Party Advisory
CVSS v2 : 5.0
v3 : 5.3
v2 : 5.0
v3 : 6.5

Information

Published : 2021-07-27 22:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32796

Mitre link : CVE-2021-32796

CVE.ORG link : CVE-2021-32796


JSON object : View

Products Affected

xmldom_project

  • xmldom
CWE
CWE-116

Improper Encoding or Escaping of Output

CWE-91

XML Injection (aka Blind XPath Injection)