CVE Vulnerability

CVE-2021-21366

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/xmldom/xmldom/releases/tag/0.5.0 Release Notes Third Party Advisory
https://www.npmjs.com/package/xmldom Product Third Party Advisory
https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135 Patch Third Party Advisory
https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
Configurations

Configuration 1

cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
Information

Published : 2021-03-12 05:15

Updated : 2023-01-01 07:15

NVD link : CVE-2021-21366

Mitre link : CVE-2021-21366

Products Affected
No products.
CWE
CWE-115

Misinterpretation of Input

CWE-436