CVE-2021-32796

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.
Configurations

Configuration 1 (hide)

cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
References () https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - Patch, Third Party Advisory () https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - Patch, Third Party Advisory
References () https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - Third Party Advisory () https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - Third Party Advisory
References () https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - Not Applicable, Third Party Advisory () https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - Not Applicable, Third Party Advisory
CVSS v2 : 5.0
v3 : 5.3
v2 : 5.0
v3 : 6.5

25 Apr 2022, 17:25

Type Values Removed Values Added
CWE CWE-91

04 Aug 2021, 20:04

Type Values Removed Values Added
CPE cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3
CWE CWE-116
References (MISC) https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - (MISC) https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ - Not Applicable, Third Party Advisory
References (MISC) https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - (MISC) https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b - Patch, Third Party Advisory
References (CONFIRM) https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - (CONFIRM) https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q - Third Party Advisory

30 Jul 2021, 14:15

Type Values Removed Values Added
Summary xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents. xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

27 Jul 2021, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-07-27 22:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32796

Mitre link : CVE-2021-32796

CVE.ORG link : CVE-2021-32796


JSON object : View

Products Affected

xmldom_project

  • xmldom
CWE
CWE-116

Improper Encoding or Escaping of Output

CWE-91

XML Injection (aka Blind XPath Injection)