CVE-2021-23445 — Cross-site Scripting in Datatables.net

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 40.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Datatables Datatables.net Debian Datatables.js Msrc Cbl2 Reaper 3.1.1-19 ON CBL Mariner 2.0 +2 more

Timeline

PublishedSep 27

Latest updateSep 29

Description

This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages7 packages

▶debiandebian/datatables.js< datatables.js 1.10.21+dfsg-3 (bookworm)

▶CVEListV5datatables/datatables.netunspecified — 1.11.3

▶NVDdatatables/datatables.net< 1.11.3

▶npmdatatables/datatables.net< 1.11.3

▶msrcmsrc/cbl2_reaper_3.1.1-19_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Cross site scripting in datatables.net↗2021-09-29

▶

OSV

Cross site scripting in datatables.net↗2021-09-29

▶

OSV

CVE-2021-23445: This affects the package datatables↗2021-09-27

▶

📋Vendor Advisories

Red Hat

datatables.net: contents of array not escaped by HTML escape entities function↗2021-09-27

▶

Microsoft

Cross-site Scripting (XSS)↗2021-09-14

▶

Debian

CVE-2021-23445: datatables.js - This affects the package datatables.net before 1.11.3. If an array is passed to ...↗2021

▶