CVE-2021-32696

Опубликовано: 18 июн. 2021

Источник: nvd

CVSS3: 3.7

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

Ссылки

https://github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca
Patch
Third Party Advisory
https://github.com/ericnorris/striptags/releases/tag/v3.2.0
Third Party Advisory
https://github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r
Third Party Advisory
https://www.npmjs.com/package/striptags
Product
Third Party Advisory
https://github.com/ericnorris/striptags/commit/f252a6b0819499cd65403707ebaf5cc925f2faca
Patch
Third Party Advisory
https://github.com/ericnorris/striptags/releases/tag/v3.2.0
Third Party Advisory
https://github.com/ericnorris/striptags/security/advisories/GHSA-qxg5-2qff-p49r
Third Party Advisory
https://www.npmjs.com/package/striptags
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:striptags_project:striptags:*:*:*:*:*:node.js:*:*

Версия до 3.2.0 (исключая)

EPSS

Процентиль: 52%

0.00292

Низкий

3.7 Low

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-79

CWE-843

Связанные уязвимости

GHSA-qxg5-2qff-p49r

CVSS3: 3.7

github

больше 4 лет назад

Passing in a non-string 'html' argument can lead to unsanitized output

BDU:2021-03269

CVSS3: 4.8

fstec

больше 4 лет назад

Уязвимость пакета npm striptags, связанная с ошибками обработки типов данных, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

EPSS

Процентиль: 52%

0.00292

Низкий

3.7 Low

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-79

CWE-843