CVE-2021-23899

CRITICAL9.8EPSS 0.44%

Arbitrary code injection in json-sanitizer

Published: 6/16/2021Modified: 11/8/2023

Description

OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Affected packages (1)

Maven/com.mikesamuel:json-sanitizerfrom 0, < 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23899
WEBhttps://github.com/OWASP/json-sanitizer/commit/a37f594f7378a1c76b3283e0dab9e1ab1dc0247e
WEBhttps://github.com/OWASP/json-sanitizer/compare/v1.2.1...v1.2.2
WEBhttps://groups.google.com/g/json-sanitizer-support/c/dAW1AeNMoA0