Misinterpretation of malicious XML input
CVE-2021-21366

4.3MEDIUM

Key Information:

Vendor: Xmldom
Status: Xmldom
Vendor: CVE Published:; 12 March 2021

What is CVE-2021-21366?

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Affected Version(s)

xmldom < 0.5.0

References

https://github.com/xmldom/xmldom/security/advisories/GHSA...

https://www.npmjs.com/package/xmldom

https://github.com/xmldom/xmldom/releases/tag/0.5.0

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2021
Vulnerability Reserved
Dec 22, 2020

CVE-2021-21366 Data

JSON

Xmldom

What is CVE-2021-21366?

Affected Version(s)

References

CVSS V3.1

Timeline