Vulnerability Details CVE-2021-23899
OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 62.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
- https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
- https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
- https://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
- https://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
- https://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0
Products affected by CVE-2021-23899
-
cpe:2.3:a:owasp:json-sanitizer:1.0
-
cpe:2.3:a:owasp:json-sanitizer:1.1
-
cpe:2.3:a:owasp:json-sanitizer:1.2.0
-
cpe:2.3:a:owasp:json-sanitizer:1.2.1