Описание
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting (XSS).
Отчет
The improper neutralization of input vulnerability in DataTables.net is considered a moderate severity issue because, while it allows for potential cross-site scripting (XSS) attacks, it requires specific conditions to be exploited effectively. An attacker must have the ability to inject malicious input into the system, and the application must pass this input to the HTML escape entities function without proper validation. Although XSS can lead to significant security risks, such as session hijacking and data theft, the impact is somewhat mitigated by the necessity of these preconditions. Moreover, this vulnerability does not compromise the underlying server or database directly, limiting its scope primarily to client-side exploitation.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | datatables.net | Will not fix | ||
| Red Hat Discovery 1 | discovery-server-container | Will not fix | ||
| Red Hat Enterprise Linux 8 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 8 | cockpit-appstream | Not affected | ||
| Red Hat Fuse 7 | datatables.net | Will not fix | ||
| Red Hat JBoss Data Grid 7 | datatables.net | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 8 | datatables.net | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | datatables.net | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-console | Out of support scope | ||
| Red Hat Process Automation 7 | datatables.net | Will not fix |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
This affects the package datatables.net before 1.11.3. If an array is ...
6.1 Medium
CVSS3