CVE-2021-21366Misinterpretation of Input in Xmldom

CWE-115Misinterpretation of InputCWE-436Interpretation Conflict8 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.6%
top 31.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
XmldomXmldom Project XmldomDebian Node-xmldom+1 more
Timeline
PublishedMar 12
Latest updateMay 24

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously cra

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

CVEListV5xmldom/xmldom< 0.5.0
npmxmldom/xmldom< 0.5.0
debiandebian/node-xmldom< node-xmldom 0.5.0-1 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
node-xmldom vulnerabilities2023-05-24
GHSA
Misinterpretation of malicious XML input2021-03-12
OSV
Misinterpretation of malicious XML input2021-03-12
OSV
CVE-2021-21366: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module2021-03-12

📋Vendor Advisories

3
Ubuntu
xmldom vulnerabilities2023-05-24
Red Hat
xmldom: incorrect parsing and serialization leads to unexpected behavior2023-03-12
Debian
CVE-2021-21366: node-xmldom - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser ...2021
CVE-2021-21366 — Misinterpretation of Input in Xmldom | cvebase