Vulnerability-Lookup

CVE-2021-21366 (GCVE-0-2021-21366)

Vulnerability from cvelistv5 – Published: 2021-03-12 00:00 – Updated: 2024-08-03 18:09

Title

Misinterpretation of malicious XML input

Summary

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-436 - Interpretation Conflict
CWE-115 - Misinterpretation of Input

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	xmldom	xmldom	Affected: < 0.5.0

GSD-2021-21366

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-21366

Aliases

CVE-2021-21366

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21366",
    "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
    "id": "GSD-2021-21366"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21366"
      ],
      "details": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
      "id": "GSD-2021-21366",
      "modified": "2023-12-13T01:23:11.263581Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21366",
        "STATE": "PUBLIC",
        "TITLE": "Misinterpretation of malicious XML input"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "xmldom",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.5.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "xmldom"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-436 Interpretation Conflict"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-115: Misinterpretation of Input"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv",
            "refsource": "CONFIRM",
            "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
          },
          {
            "name": "https://www.npmjs.com/package/xmldom",
            "refsource": "MISC",
            "url": "https://www.npmjs.com/package/xmldom"
          },
          {
            "name": "https://github.com/xmldom/xmldom/releases/tag/0.5.0",
            "refsource": "MISC",
            "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
          },
          {
            "name": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135",
            "refsource": "MISC",
            "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
          },
          {
            "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-h6q6-9hqw-rwfv",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.5.0",
          "affected_versions": "All versions before 0.5.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-436",
            "CWE-937"
          ],
          "date": "2023-02-28",
          "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
          "fixed_versions": [
            "0.7.0"
          ],
          "identifier": "CVE-2021-21366",
          "identifiers": [
            "CVE-2021-21366",
            "GHSA-h6q6-9hqw-rwfv"
          ],
          "not_impacted": "All versions starting from 0.5.0",
          "package_slug": "npm/@xmldom/xmldom",
          "pubdate": "2021-03-12",
          "solution": "Upgrade to version 0.7.0 or above.",
          "title": "Interpretation Conflict",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21366",
            "https://github.com/xmldom/xmldom/releases/tag/0.5.0",
            "https://www.npmjs.com/package/xmldom",
            "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135",
            "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
          ],
          "uuid": "3eb6e911-1ede-42eb-ae94-f36e86afd57e"
        },
        {
          "affected_range": "\u003c0.5.0",
          "affected_versions": "All versions before 0.5.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-436",
            "CWE-937"
          ],
          "date": "2023-02-28",
          "description": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.As a workaround downstream applications can validate the input and reject the maliciously crafted documents.",
          "fixed_versions": [
            "0.5.0"
          ],
          "identifier": "CVE-2021-21366",
          "identifiers": [
            "CVE-2021-21366",
            "GHSA-h6q6-9hqw-rwfv"
          ],
          "not_impacted": "All versions starting from 0.5.0",
          "package_slug": "npm/xmldom",
          "pubdate": "2021-03-12",
          "solution": "Upgrade to version 0.5.0 or above.",
          "title": "Interpretation Conflict",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21366"
          ],
          "uuid": "b68475a6-317d-4e73-bcfe-4fb57baa6b92"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21366"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-436"
                },
                {
                  "lang": "en",
                  "value": "CWE-115"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/xmldom/xmldom/releases/tag/0.5.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
            },
            {
              "name": "https://www.npmjs.com/package/xmldom",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://www.npmjs.com/package/xmldom"
            },
            {
              "name": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
            },
            {
              "name": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
            },
            {
              "name": "[debian-lts-announce] 20230101 [SECURITY] [DLA 3260-1] node-xmldom security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-02-28T19:24Z",
      "publishedDate": "2021-03-12T17:15Z"
    }
  }
}

GHSA-H6Q6-9HQW-RWFV

Vulnerability from github – Published: 2021-03-12 22:39 – Updated: 2023-01-02 21:51

Summary

Misinterpretation of malicious XML input

Details

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "xmldom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-115",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T16:21:24Z",
    "nvd_published_at": "2021-03-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nxmldom versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.\n\nThis may lead to unexpected syntactic changes during XML processing in some downstream applications.\n\n### Patches\n\nUpdate to 0.5.0 (once it is released)\n\n### Workarounds\n\nDownstream applications can validate the input and reject the maliciously crafted documents.\n\n### References\n\nSimilar to this one reported on the Go standard library:\n\n- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)\n* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`",
  "id": "GHSA-h6q6-9hqw-rwfv",
  "modified": "2023-01-02T21:51:19Z",
  "published": "2021-03-12T22:39:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xmldom/xmldom"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/xmldom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Misinterpretation of malicious XML input"
}

FKIE_CVE-2021-21366

Vulnerability from fkie_nvd - Published: 2021-03-12 17:15 - Updated: 2024-11-21 05:48

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135	Patch
security-advisories@github.com	https://github.com/xmldom/xmldom/releases/tag/0.5.0	Release Notes
security-advisories@github.com	https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv	Vendor Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://www.npmjs.com/package/xmldom	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xmldom/xmldom/releases/tag/0.5.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.npmjs.com/package/xmldom	Product

Impacted products

	Vendor	Product	Version
	xmldom_project	xmldom	*
	debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "F6797B31-06DB-419B-B5F2-F51DDC057B56",
              "versionEndExcluding": "0.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents."
    },
    {
      "lang": "es",
      "value": "xmldom es un m\u00f3dulo DOMParser y XMLSerializer basado en el est\u00e1ndar JavaScript W3C puro (XML DOM Level 2 Core).\u0026#xa0;xmldom versiones 0.4.0 y anteriores, no preservan correctamente los identificadores del sistema, los FPI o los espacios de nombres cuando se analizan y serializan repetidamente documentos dise\u00f1ados maliciosos.\u0026#xa0;Esto puede conllevar a cambios sint\u00e1cticos inesperados durante el procesamiento de XML en algunas aplicaciones posteriores.\u0026#xa0;Esto es corregido en la versi\u00f3n 0.5.0.\u0026#xa0;Como soluci\u00f3n alternativa, las aplicaciones posteriores pueden comprobar la entrada y rechazar los documentos dise\u00f1ados maliciosos"
    }
  ],
  "id": "CVE-2021-21366",
  "lastModified": "2024-11-21T05:48:12.493",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-12T17:15:12.643",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.npmjs.com/package/xmldom"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/xmldom/xmldom/releases/tag/0.5.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://www.npmjs.com/package/xmldom"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-115"
        },
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21366 (GCVE-0-2021-21366)

GSD-2021-21366

GHSA-H6Q6-9HQW-RWFV

Impact

Patches

Workarounds

References

For more information

FKIE_CVE-2021-21366

Tags

Sightings

Nomenclature