CVE-2021-23648Cross-site Scripting in Sanitize-url

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 69.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Braintree Sanitize-urlPaypal Braintree Sanitize-urlDebian Node-mermaid+1 more
Timeline
PublishedMar 16
Latest updateMar 17

Description

The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

CVEListV5braintree/sanitize-urlunspecified6.0.0
debiandebian/node-mermaid< node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1 (bullseye)

Also affects: Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.comPatch: snyk.io

🔴Vulnerability Details

3
GHSA
Cross-site Scripting in sanitize-url2022-03-17
OSV
Cross-site Scripting in sanitize-url2022-03-17
OSV
CVE-2021-23648: The package @braintree/sanitize-url before 62022-03-16

📋Vendor Advisories

2
Red Hat
sanitize-url: XSS due to improper sanitization in sanitizeUrl function2022-02-22
Debian
CVE-2021-23648: node-mermaid - The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Sc...2021