Cross-site Scripting (XSS)
CVE-2021-23443

5.4MEDIUM

Key Information:

Vendor: Adonisjs
Status: Edge.js
Vendor: CVE Published:; 21 September 2021

What is CVE-2021-23443?

This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.

Affected Version(s)

edge.js < 5.3.2

References

https://snyk.io/vuln/SNYK-JS-EDGEJS-1579556

x_refsource_MISC

https://github.com/edge-js/edge/commit/fa2c7fde86327aeae2...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2021
Vulnerability Reserved
Jan 8, 2021

Credit

Alessio Della Libera of Snyk Research Team

CVE-2021-23443 Data

JSON