CVE-2021-32796 — Improper Encoding or Escaping of Output in Xmldom

CWE-116 — Improper Encoding or Escaping of Output CWE-91 — XML Injection (aka Blind XPath Injection)CWE-20 — Improper Input Validation6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

1.1%

top 21.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Xmldom Xmldom Project Xmldom Debian Node-xmldom

Timeline

PublishedJul 27

Latest updateAug 3

Description

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted docum…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5xmldom/xmldom< 0.7.0

▶npmxmldom/xmldom< 0.7.0+1

▶debiandebian/node-xmldom< node-xmldom 0.7.3-1 (bookworm)

▶NVDxmldom_project/xmldom< 0.7.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Misinterpretation of malicious XML input↗2021-08-03

▶

GHSA

Misinterpretation of malicious XML input↗2021-08-03

▶

OSV

CVE-2021-32796: xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module↗2021-07-27

▶

📋Vendor Advisories

Red Hat

nodejs-xmldom: misinterpretation of malicious XML input↗2021-07-27

▶

Debian

CVE-2021-32796: node-xmldom - xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Cor...↗2021

▶